We sometimes use raw SQL in Active Record methods. This can lead to SQL injection vulnerabilities when we unknowingly pass unsanitized user input to the Active Record method.
Although this code is looking fine on the surface, we can see the issues looking
at the example from rails-sqli.
There are many Active Record methods which are vulnerable to SQL injection and some of these can be found here.
However, in Rails 5.2 these APIs are changed and they allow only attribute arguments and Rails does not allow raw SQL. With Rails 5.2 it is not mandatory but the developer would see a deprecation warning
to remind about this.
In Rails 6, this will result into an error.
In Rails 5.2, if we want to run raw SQL without getting the above warning, we have to change raw SQL string literals to an Arel::Nodes::SqlLiteral object.
This should be done with care and should not be done
with user input.