> ## Documentation Index > Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt > Use this file to discover all available pages before exploring further. # Security Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil.
**Likelihood**: MEDIUM
**Confidence**: MEDIUM
**CWE**:
- CWE-502: Deserialization of Untrusted Data
**OWASP**:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
**Likelihood**: MEDIUM
**Confidence**: MEDIUM
**CWE**:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
**OWASP**:
- A01:2017 - Injection
- A03:2021 - Injection Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`
**Likelihood**: MEDIUM
**Confidence**: MEDIUM
**CWE**:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
**OWASP**:
- A01:2017 - Injection
- A03:2021 - Injection Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`
**Likelihood**: MEDIUM
**Confidence**: MEDIUM
**CWE**:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
**OWASP**:
- A01:2017 - Injection
- A03:2021 - Injection Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql ["SELECT title FROM posts WHERE author = ? AND created > ?", author_id, start_date]`
**Likelihood**: MEDIUM
**Confidence**: MEDIUM
**CWE**:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
**OWASP**:
- A01:2017 - Injection
- A03:2021 - Injection Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])`
**Likelihood**: MEDIUM
**Confidence**: MEDIUM
**CWE**:
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
**OWASP**:
- A01:2017 - Injection
- A03:2021 - Injection