Have fun injecting SQL into a Ruby on Rails application!
JavaScript Ruby HTML Other
Failed to load latest commit information.
rails3 Push down body to show "Overview" Jan 19, 2016
rails4 Push down body to show "Overview" Jan 19, 2016
MIT-LICENSE README update Feb 7, 2013
README.md Update README Jan 18, 2016
generate.sh Add script to generate site Jan 18, 2016


Inject Some SQL

These are sample Rails applications for demonstrating many ways SQL can be injected in Rails.


Clone the repo:

git clone https://github.com/presidentbeef/inject-some-sql.git

Pick either Rails 3 or Rails 4. They each have their own subdirectory.

cd inject-some-sql/rails4

In the subdirectory, install dependences and set up the database:

bundle install
rake db:setup db:seed


Typical Rails start:

rails s

Open up localhost:3000 in a browser.

Reset Database

It's easy to mess up a database with SQL injection. The server does attempt to reset the database after each query, but that isn't foolproof.

To completely reset:

rake db:drop db:migrate db:seed

Inject SQL!

The site lists a whole bunch of ActiveRecord queries.

Each query has input for a single parameter (although some queries may actually have more than one). A sample injection is provided. Clicking "Run!" will run the query shown.

Adding/Modifying Queries

All queries are generated from app/models/queries.rb.


  • This is a single player game because the SQL query is stored in a global variable.


This code is made available under the MIT license.