sql injection vulnerability in ruby on rails