SQL fragment from params
Dynamic column names from params can enable SQL injection even inside a where hash.
Before
User.where(params[:filter_column] => params[:value])Suggested direction
ALLOWED = %w[email status].freeze
column = ALLOWED.include?(params[:column]) ? params[:column] : 'email'
User.where(column => params[:value])