I have following line which was suspected of SQL injection by a static code analyzer:
Admin.joins(:accounts_admins).where(user_id: params[:user_u ser_id], "members.account_id" => @account.id).first To me, it looks safe as its using parameterized query. Let me know if anyone think otherwise.
You're correct; Rails will convert the WHERE clause to use bound parameters and thus avoid the risk of SQL injection.
That said, as a best practice, you should leverage strong_parameters or some other form of parameter validation. As your code is written, a nil value will cause Rails to insert a WHERE user_id IS NULL expression. That's likely not a problem here, but in some cases it can cause unauthorized access.
