Rails Bad Practices #1 - sql injection.
Sql injection is a very nice trick, however it’s really hard to achieve with Rails. This few simple lines of code allow all of your users to execute sql whatever way they want:
#app/models/user.rb
class User < ActiveRecord::Base
scope :very_clever_scope, lambda{|name_or_id| where("name = #{name_or_id} OR id=#{name_or_id}")
end
#app/controllers/users_controller.rb
class UsersController < ApplicationController
def show
#uber clever params[:id] backwards compability
User.very_clever_scope(params[:id]).find(:first)
end
end
And now you can relax and enjoy DROP ALL TABLES queries.
