Inject Some SQL
These are sample Rails applications for demonstrating many ways SQL can be injected in Rails.
Clone the repo:
git clone https://github.com/presidentbeef/inject-some-sql.git
Pick either Rails 3 or Rails 4. They each have their own subdirectory.
In the subdirectory, install dependences and set up the database:
bundle install rake db:setup db:seed
Typical Rails start:
Open up localhost:3000 in a browser.
It's easy to mess up a database with SQL injection. The server does attempt to reset the database after each query, but that isn't foolproof.
To completely reset:
rake db:drop db:migrate db:seed
The site lists a whole bunch of ActiveRecord queries.
Each query has input for a single parameter (although some queries may actually have more than one). A sample injection is provided. Clicking "Run!" will run the query shown.
All queries are generated from
- This is a single player game because the SQL query is stored in a global variable.
This code is made available under the MIT license.