Skip to content

Instantly share code, notes, and snippets.

@akhilstanis
Created December 5, 2019 15:16
Show Gist options
  • Save akhilstanis/889a29454d34d5559e4c35eaaeeec014 to your computer and use it in GitHub Desktop.
Save akhilstanis/889a29454d34d5559e4c35eaaeeec014 to your computer and use it in GitHub Desktop.
SQL Injection Example
require 'sinatra'
require 'pg'
database_url = ENV['DATABASE_URL'] || 'postgres://localhost:5432/sql_injection'
pg = PG.connect(database_url)
pg.exec('CREATE TABLE IF NOT EXISTS users (username CHAR(50), password CHAR(50));')
set :session_secret, 'super_secret'
enable :sessions
get '/' do
current_user = session[:current_user]
if !current_user
redirect to('/login')
end
"Welcome #{current_user}<br/><a href='/logout'>Logout</a>"
end
get '/login' do
erb :login
end
post '/login' do
@username = params[:username]
@password = params[:password]
user = pg.exec("SELECT * FROM users WHERE username = '#{@username}' AND password = '#{@password}'").first
if !user
@error = 'invalid username or password'
erb :login
else
session[:current_user] = user
redirect to('/')
end
end
get '/logout' do
session.delete(:current_user)
redirect to('/login')
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment