Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- bmaddy@foo:~/src/sandbox/console$ rails c
- Loading development environment (Rails 3.0.4)
- ruby-1.8.7-p330 :001 > User.count
- => 0
- ruby-1.8.7-p330 :002 > User.order("name; delete from users;--").to_sql
- => "SELECT \"users\".* FROM \"users\" ORDER BY name; delete from users;--"
- ruby-1.8.7-p330 :003 > User.order("?", "name; delete from users;--").to_sql
- => "SELECT \"users\".* FROM \"users\" ORDER BY ?, name; delete from users;--"
- ruby-1.8.7-p330 :004 > User.order(["?", "name; delete from users;--"]).to_sql
- => "SELECT \"users\".* FROM \"users\" ORDER BY ?, name; delete from users;--"
- ruby-1.8.7-p330 :005 > User.create :name => "Capt. Awesome"
- => #<User id: 2, name: "Capt. Awesome", created_at: "2011-02-11 16:57:35", updated_at: "2011-02-11 16:57:35">
- ruby-1.8.7-p330 :006 > User.count
- => 1
- ruby-1.8.7-p330 :007 > User.order("name; delete from users;--")
- => [#<User id: 2, name: "Capt. Awesome", created_at: "2011-02-11 16:57:35", updated_at: "2011-02-11 16:57:35">]
- ruby-1.8.7-p330 :008 > User.count
- => 1
- ruby-1.8.7-p330 :009 > User.connection.execute User.order(["?", "name; delete from users;--"]).to_sql
- => [{"name"=>"Capt. Awesome", 0=>2, "created_at"=>"2011-02-11 16:57:35.131638", 1=>"Capt. Awesome", "updated_at"=>"2011-02-11 16:57:35.131638", 2=>"2011-02-11 16:57:35.131638", "id"=>2, 3=>"2011-02-11 16:57:35.131638"}]
- ruby-1.8.7-p330 :010 > User.count
- => 1
- ruby-1.8.7-p330 :011 > ^Dbmaddy@foo:~/src/sandbox/console$ rails db
- SQLite version 3.6.12
- Enter ".help" for instructions
- Enter SQL statements terminated with a ";"
- sqlite> SELECT * FROM users;
- 2|Capt. Awesome|2011-02-11 16:57:35.131638|2011-02-11 16:57:35.131638
- sqlite> SELECT "users".* FROM "users" ORDER BY name; delete from users;--
- 2|Capt. Awesome|2011-02-11 16:57:35.131638|2011-02-11 16:57:35.131638
- sqlite> SELECT * FROM users;
- sqlite> SELECT count(*) FROM users;
- 0
- sqlite>
Add Comment
Please, Sign In to add comment
