ollieshmollie ollieshmollie - 15 days ago
130 0

No description

Ruby

Parameterizing SQL Queries

# Text-field input is again stored in a variable 
u_name = value(text_field: 'username')
# The nature of the request determines an appropriate query plan
sql_query = "SELECT * FROM users WHERE username = ?"
# Now we plug in parameters to a query method 
db.exec_qry(sql_query, u_name)
# Only the SELECT function will be executed using this method, as u_name will be inserted wholly into the ? parameter.
sql_query = SELECT * FROM users WHERE username = ' or '1'='1
# Which makes no sense, and the db either throws an error or does what is expected, returns nothing
Comments