diff --git a/app/controllers/my_profile/manage_products_controller.rb b/app/controllers/my_profile/manage_products_controller.rb
index 84d267c..29c4a29 100644
--- a/app/controllers/my_profile/manage_products_controller.rb
+++ b/app/controllers/my_profile/manage_products_controller.rb
@@ -206,7 +206,8 @@ class ManageProductsController < ApplicationController
   end
 
   def certifiers_for_selection
-    @qualifier = Qualifier.exists?(params[:id]) ? Qualifier.find(params[:id]) : nil
+    # updated to use hash as argument to exists? to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+    @qualifier = Qualifier.exists?(:id => params[:id]) ? Qualifier.find(params[:id]) : nil
     render :update do |page|
       page.replace_html params[:certifier_area], :partial => 'certifiers_for_selection'
     end
diff --git a/app/controllers/public/contact_controller.rb b/app/controllers/public/contact_controller.rb
index fd29463..be3bbd9 100644
--- a/app/controllers/public/contact_controller.rb
+++ b/app/controllers/public/contact_controller.rb
@@ -6,8 +6,9 @@ class ContactController < PublicController
   def new
     @contact = build_contact
     if request.post? && params[:confirm] == 'true'
-      @contact.city = (!params[:city].blank? && City.exists?(params[:city])) ? City.find(params[:city]).name : nil
-      @contact.state = (!params[:state].blank? && State.exists?(params[:state])) ? State.find(params[:state]).name : nil
+      # updated to use hash as argument to exists? to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+      @contact.city = (!params[:city].blank? && City.exists?(:id => params[:city])) ? City.find(params[:city]).name : nil
+      @contact.state = (!params[:state].blank? && State.exists?(:id => params[:state])) ? State.find(params[:state]).name : nil
       if @contact.deliver
         session[:notice] = _('Contact successfully sent')
         redirect_to :action => 'new'
diff --git a/app/models/product_category.rb b/app/models/product_category.rb
index db73ae2..0cf3890 100644
--- a/app/models/product_category.rb
+++ b/app/models/product_category.rb
@@ -13,8 +13,11 @@ class ProductCategory < Category
   scope :by_environment, lambda { |environment| {
     :conditions => ['environment_id = ?', environment.id]
   }}
+
+  # updated scope method to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+  # explicited to_i on level argument
   scope :unique_by_level, lambda { |level| {
-    :select => "DISTINCT ON (filtered_category) split_part(path, '/', #{level}) AS filtered_category, categories.*"
+    :select => "DISTINCT ON (filtered_category) split_part(path, '/', #{level.to_i}) AS filtered_category, categories.*"
   }}
 
   def all_products
diff --git a/app/models/task.rb b/app/models/task.rb
index 927031d..a0aa879 100644
--- a/app/models/task.rb
+++ b/app/models/task.rb
@@ -242,9 +242,34 @@ class Task < ActiveRecord::Base
   scope :canceled, :conditions => { :status =>  Task::Status::CANCELLED }
   scope :closed, :conditions => { :status =>  [Task::Status::CANCELLED, Task::Status::FINISHED] }
   scope :opened, :conditions => { :status =>  [Task::Status::ACTIVE, Task::Status::HIDDEN] }
-  scope :of, lambda { |type| conditions = type ? "type LIKE '#{type}'" : "1=1"; {:conditions =>  [conditions]} }
-  scope :order_by, lambda { |attribute, ord| {:order => "#{attribute} #{ord}"} }
-  scope :like, lambda { |field, value| where("LOWER(#{field}) LIKE ?", "%#{value.downcase}%") if value}
+
+  # updated scope method to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+  def self.of type
+    if type
+      where  "type LIKE ?", type
+    else
+      all
+    end
+  end
+
+  # updated scope method to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+  def self.order_by attribute_name, sort_order
+    if Task.column_names.include? attribute_name
+      # TODO  future versions of rails accepts a hash as param to order method
+      # which helps to prevent sql injection in an shorter way
+      sort_order_filtered = ("ASC".eql? "#{sort_order}".upcase) ? 'asc' : 'desc'
+      sort_expression = Task.column_names.collect {|column_name| "#{column_name} #{sort_order_filtered}" if column_name.eql? attribute_name}
+      order(sort_expression.join) unless sort_expression.join.empty?
+    end
+  end
+
+  # updated scope method to avoid sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
+  def self.like field, value
+    if value and Tasks.column_names.include? field
+      where("LOWER(?) LIKE ?", "#{field}", "%#{value.downcase}%")
+    end
+  end
+
   scope :pending_all, lambda { |profile, filter_type, filter_text|
     self.to(profile).without_spam.pending.of(filter_type).like('data', filter_text)
   }
diff --git a/lib/activities_counter_cache_job.rb b/lib/activities_counter_cache_job.rb
index 3106c6d..e594e2f 100644
--- a/lib/activities_counter_cache_job.rb
+++ b/lib/activities_counter_cache_job.rb
@@ -1,11 +1,15 @@
 class ActivitiesCounterCacheJob
+
+  # Changed to prevent sql injection vunerabillity (http://brakemanscanner.org/docs/warning_types/sql_injection/)
   def perform
-    person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
-    organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= '#{ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db)}') AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
+    person_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.user_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Person' ) ) GROUP BY profiles.id;")
+    organization_activities_counts = ActiveRecord::Base.connection.execute("SELECT profiles.id, count(action_tracker.id) as count FROM profiles LEFT OUTER JOIN action_tracker ON profiles.id = action_tracker.target_id WHERE (action_tracker.created_at >= #{ActiveRecord::Base.connection.quote(ActionTracker::Record::RECENT_DELAY.days.ago.to_s(:db))}) AND ( (profiles.type = 'Community' OR profiles.type = 'Enterprise' OR profiles.type = 'Organization' ) ) GROUP BY profiles.id;")
     activities_counts = person_activities_counts.entries + organization_activities_counts.entries
     activities_counts.each do |count|
-      ActiveRecord::Base.connection.execute("UPDATE profiles SET activities_count=#{count['count'].to_i} WHERE profiles.id=#{count['id']};")
+      update_sql = ActiveRecord::Base.__send__(:sanitize_sql, ["UPDATE profiles SET activities_count=? WHERE profiles.id=?;", count['count'].to_i, count['id'] ], '')
+      ActiveRecord::Base.connection.execute(update_sql)
     end
     Delayed::Job.enqueue(ActivitiesCounterCacheJob.new, {:priority => -3, :run_at => 1.day.from_now})
   end
+
 end
--
libgit2 0.21.2