Official Website
http://rubyonrails.org/
Great Start
http://www.akitaonrails.com/2007/12/12/rolling-with-rails-2-0-the-first-full-tutorial
Examples
http://www.tutorialspoint.com/ruby-on-rails/rails-examples.htm
Sample applications with basic features like authentication and admin features
http://www.railsinside.com/elsewhere/100-7-barebones-rails-apps-to-kick-start-your-development-process.html
Many to Many Relationship with Multi select control in rails
http://blog.coryfoy.com/2008/02/multiselect-control-in-rails-with-a-many-to-many-relationship/
Develop Facebook application
http://www.liverail.net/articles/2007/6/29/tutorial-on-developing-a-facebook-platform-application-with-ruby-on-rails
Monday, July 26, 2010
Use mysql_real_escape_string() function to avoid mysql injections
// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);
// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'admin';
$_POST['password'] = "' OR ''='";
// This means the query sent to MySQL would be:
echo $query;
?>
The query sent to MySQL as:
SELECT * FROM users WHERE user='admin' AND password='' OR ''=''
This would allow anyone to log in without a valid password.
Solution:
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($_POST['user']),
mysql_real_escape_string($_POST['password']));
?>
Here mysql_real_escape_string function prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a to make data safe before sending a query to MySQL. So user can't hack your database.
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);
// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'admin';
$_POST['password'] = "' OR ''='";
// This means the query sent to MySQL would be:
echo $query;
?>
The query sent to MySQL as:
SELECT * FROM users WHERE user='admin' AND password='' OR ''=''
This would allow anyone to log in without a valid password.
Solution:
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($_POST['user']),
mysql_real_escape_string($_POST['password']));
?>
Here mysql_real_escape_string function prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a to make data safe before sending a query to MySQL. So user can't hack your database.
Subscribe to:
Posts (Atom)