Skip to content
This repository has been archived by the owner on Jul 23, 2022. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
Fix the SQL injection! STRING INTERPOLATION - NEVER AGAIN. NEVER!
  • Loading branch information
elizabrock committed May 1, 2014
1 parent d26ec7e commit cd11cf1
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 8 deletions.
4 changes: 2 additions & 2 deletions lib/database.rb
Expand Up @@ -13,8 +13,8 @@ def create_tables
self.execute("CREATE TABLE injuries (id INTEGER PRIMARY KEY AUTOINCREMENT, name varchar(50))")
end

def execute(statement)
def execute(statement, bind_vars = [])
Environment.logger.info("Executing: " + statement)
super(statement)
super(statement, bind_vars)
end
end
12 changes: 6 additions & 6 deletions models/injury.rb
Expand Up @@ -19,8 +19,8 @@ def self.count
end

def self.find_by_name(name)
statement = "Select * from injuries where name = \"#{name}\";"
execute_and_instantiate(statement)[0]
statement = "Select * from injuries where name = ?;"
execute_and_instantiate(statement, name)[0]
end

def self.last
Expand All @@ -33,16 +33,16 @@ def save
@errors << "#{self.name} already exists."
false
else
statement = "Insert into injuries (name) values ('#{name}');"
Environment.database_connection.execute(statement)
statement = "Insert into injuries (name) values (?);"
Environment.database_connection.execute(statement, name)
true
end
end

private

def self.execute_and_instantiate(statement)
rows = Environment.database_connection.execute(statement)
def self.execute_and_instantiate(statement, bind_vars = [])
rows = Environment.database_connection.execute(statement, bind_vars)
results = []
rows.each do |row|
results << Injury.new(row["name"])
Expand Down
3 changes: 3 additions & 0 deletions spec/injury_integration_spec.rb
Expand Up @@ -57,12 +57,15 @@
context "without alphabet characters" do
let(:output){ run_ltk_with_input("2", "4*25") }
it "should not save the injury" do
pending
Injury.count.should == 1
end
it "should print an error message" do
pending
output.should include("'4*25' is not a valid injury name, as it does not include any letters'")
end
it "should let them try again" do
pending
menu_text = "What is the injury you want to add?"
output.should include_in_order(menu_text, "not a valid", menu_text)
end
Expand Down

0 comments on commit cd11cf1

Please sign in to comment.