TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Update guides on secuity page for sql injection sample code [ci-skip]

Browse Source
This commit is contained in:
Kuniaki Igarashi 2022-09-14 10:22:37 +09:00
parent 2c5eda36c0
commit e3a35e228b
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
guides/source/security.md
View File

@ -614,10 +614,10 @@ SQL injection attacks aim at influencing database queries by manipulating web ap
Project.where("name = '#{params[:name]}'")
```
This could be in a search action and the user may enter a project's name that they want to find. If a malicious user enters `' OR 1 --`, the resulting SQL query will be:
This could be in a search action and the user may enter a project's name that they want to find. If a malicious user enters `' OR 1) --`, the resulting SQL query will be:
```sql
SELECT * FROM projects WHERE name = '' OR 1 --'
SELECT * FROM projects WHERE (name = '' OR 1) --')
```
The two dashes start a comment ignoring everything after it. So the query returns all records from the projects table including those blind to the user. This is because the condition is true for all records.