Monday, July 26, 2010

Important URLs for RoR Developement

Official Website

Great Start


Sample applications with basic features like authentication and admin features

Many to Many Relationship with Multi select control in rails

Develop Facebook application

Use mysql_real_escape_string() function to avoid mysql injections

// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";

// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'admin';
$_POST['password'] = "' OR ''='";
// This means the query sent to MySQL would be:
echo $query;

The query sent to MySQL as:

SELECT * FROM users WHERE user='admin' AND password='' OR ''=''

This would allow anyone to log in without a valid password.

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
Here mysql_real_escape_string function prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a to make data safe before sending a query to MySQL. So user can't hack your database.