ehlertij/1.rb

## 1.rb
class UserController < ApplicationController
  def show
    @user = User.where("id = #{params[:user_id]}").first
  end
end

## 2.rb
params = { :id => '0; DROP TABLE users' }

## 3.rb
# Rails will scrub this for you!
User.where(:id => params[:id])

# For more complicated queries, use array syntax!
User.where("created_at between ? and ?", params[:start], params[:end])

# Here's another nice option if you have lots of params to pass in
User.where(
  " (created_at between :start and :end)
    and last_name like :last_name",
  { :start => params[:start],
    :end => params[:end],
    :last_name => params[:lastname]
})

## 4.rb
# Bad!
send(params[:method])

# Still not great, but better!
SAFE_VALUES = %w[foo bar]
if SAFE_VALUES.include?(params[:method])
  send(params[:method])
else
  # bad params[:method]
end
	class UserController < ApplicationController
	def show
	@user = User.where("id = #{params[:user_id]}").first
	end
	end
	# Rails will scrub this for you!
	User.where(:id => params[:id])

	# For more complicated queries, use array syntax!
	User.where("created_at between ? and ?", params[:start], params[:end])

	# Here's another nice option if you have lots of params to pass in
	User.where(
	" (created_at between :start and :end)
	and last_name like :last_name",
	{ :start => params[:start],
	:end => params[:end],
	:last_name => params[:lastname]
	})
	# Bad!
	send(params[:method])

	# Still not great, but better!
	SAFE_VALUES = %w[foo bar]
	if SAFE_VALUES.include?(params[:method])
	send(params[:method])
	else
	# bad params[:method]
	end