mirror of
https://github.com/github/codeql.git
synced 2026-07-15 08:18:18 +02:00
10 lines
338 B
Ruby
10 lines
338 B
Ruby
|
|
class PotatoController < ActionController::Base
|
|
def unsafe_action
|
|
name = params[:user_name] # $ Source
|
|
# BAD: SQL statement constructed from user input
|
|
sql = Arel.sql("SELECT * FROM users WHERE name = #{name}") # $ Alert
|
|
sql = Arel::Nodes::SqlLiteral.new("SELECT * FROM users WHERE name = #{name}") # $ Alert
|
|
end
|
|
end
|