Monday, July 26, 2010

Important URLs for RoR Developement

Official Website
http://rubyonrails.org/

Great Start
http://www.akitaonrails.com/2007/12/12/rolling-with-rails-2-0-the-first-full-tutorial

Examples
http://www.tutorialspoint.com/ruby-on-rails/rails-examples.htm

Sample applications with basic features like authentication and admin features
http://www.railsinside.com/elsewhere/100-7-barebones-rails-apps-to-kick-start-your-development-process.html

Many to Many Relationship with Multi select control in rails
http://blog.coryfoy.com/2008/02/multiselect-control-in-rails-with-a-many-to-many-relationship/

Develop Facebook application
http://www.liverail.net/articles/2007/6/29/tutorial-on-developing-a-facebook-platform-application-with-ruby-on-rails

Use mysql_real_escape_string() function to avoid mysql injections

// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);

// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'admin';
$_POST['password'] = "' OR ''='";
// This means the query sent to MySQL would be:
echo $query;
?>

The query sent to MySQL as:

SELECT * FROM users WHERE user='admin' AND password='' OR ''=''

This would allow anyone to log in without a valid password.


Solution:
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($_POST['user']),
mysql_real_escape_string($_POST['password']));
?>
Here mysql_real_escape_string function prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a to make data safe before sending a query to MySQL. So user can't hack your database.