Adam Scheinberg’s profile

I'm the primary architect for Featuring ramblings on Phish, technology, music, food, Apple, chocolate chip pancakes, and other miscellany.

Latest Comments


I'm not a Ruby guy, but it seems to me that this is the equivalent of this in PHP:

foreach($_POST as $k=>$v) {
     $db->query("UPDATE table 
     SET ".$k."='".$v."'");

If that happened in a PHP framework, the internet would be ablaze about how bad PHP is (even assuming the value was properly db escaped.). This is a major issue, and I'd bet a huge chunk of Rails sites are vulnerable.

Posted in Hacking Rails (and GitHub).

Tue, 06 Mar 2012 at 14:23:42 GMT


  • Twitter: @sethadam1
  • Location: Orlando, FL, USA
  • Joined: March 2012
  • Comments: 1