Adam Scheinberg’s profile

I'm the primary architect for Phish.net. Featuring ramblings on Phish, technology, music, food, Apple, chocolate chip pancakes, and other miscellany.

Latest Comments

1

I'm not a Ruby guy, but it seems to me that this is the equivalent of this in PHP:

<?php
 
foreach($_POST as $k=>$v) {
 
     $db->query("UPDATE table 
 
     SET ".$k."='".$v."'");
 
}
 
?>

If that happened in a PHP framework, the internet would be ablaze about how bad PHP is (even assuming the value was properly db escaped.). This is a major issue, and I'd bet a huge chunk of Rails sites are vulnerable.

Posted in Hacking Rails (and GitHub).

Tue, 06 Mar 2012 at 14:23:42 GMT


About

  • Twitter: @sethadam1
  • Location: Orlando, FL, USA
  • Joined: March 2012
  • Comments: 1