Due to the way Active Record interprets parameters in
combination with the way that Rack parses query parameters, it
is possible for an attacker to issue unexpected database
queries with "IS NULL" where clauses. This issue does *not*
let an attacker insert arbitrary values into an SQL query,
however they can cause the query to check for NULL where most
users wouldn't expect it.
Due to the way Active Record handles nested query parameters,
an attacker can use a specially crafted request to inject some
forms of SQL into your application's SQL queries.