Skip to content

Instantly share code, notes, and snippets.

@keithtom
Created February 14, 2013 23:25
Show Gist options
  • Save keithtom/4957327 to your computer and use it in GitHub Desktop.
Save keithtom/4957327 to your computer and use it in GitHub Desktop.
A mini app where users can 'signup' by adding their name to the database. user_bad.rb doesn't sanitize the sql properly so we can signup as an admin.
require 'sqlite3'
require_relative 'user_db' # Setup user table
# Open a database
db = SQLite3::Database.new "test.db"
while true
# Get user input.
puts "Add user:"
user_name = gets.strip
# Store user in db.
query = "insert into users VALUES ('#{user_name}', 0);"
puts "Executing: #{query}"
result = db.execute query
puts "done."
end
require 'sqlite3'
# Open a database
db = SQLite3::Database.new "test.db"
def destroy_table(db)
db.execute "drop table users;"
end
def create_table(db)
db.execute "create table users (name varchar(30), admin int);"
end
def insert_data(db)
db.execute "insert into users VALUES ('regular joe', 0);"
db.execute "insert into users VALUES ('admin', 1);"
end
destroy_table(db)
create_table(db)
insert_data(db)
require 'sqlite3'
require_relative 'user_db' # Setup user table
# Open a database
db = SQLite3::Database.new "test.db"
while true
# Get user input.
puts "Add user:"
user_name = gets.strip
# Store user in db.
# query = "insert into users VALUES ('#{user_name}', 0);"
query = "insert into users VALUES (?, 0);"
puts "Executing: #{query}"
result = db.execute query, user_name
puts "done."
end
# try typing: bad guy', 1);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment