Will It Vibe logoWill It Vibe?
INJECT-008Medium severity-8 points

SQL built with string interpolation (Ruby)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

An ActiveRecord where/find_by_sql/execute call interpolates a value with #{...} inside a SQL string instead of using a placeholder or hash conditions.

Why it matters

Interpolating #{value} into a where/find_by_sql/execute string builds the query from text, which is SQL injection. ActiveRecord supports placeholders and hash conditions that bind values safely. It is a heuristic because interpolating a trusted constant would also match.

How to fix it

Use bound conditions: where("id = ?", id) or where(id: id) with a hash, and pass values as arguments instead of interpolating them. For raw SQL, use sanitize_sql_array or the array/hash forms rather than #{}.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks