Pattern: Use of where("name = '#{params[:name]}'")
Issue: -
Check for use of where("name = '#{params[:name]}'"). Passing user input to where() without parameterization can result in SQL Injection.
# bad
u = User.where("name = '#{params[:name]}'")
# good (parameters)
u = User.where("name = ? AND id = ?", params[:name], params[:id])
u = User.where(name: params[:name], id: params[:id])