A mini app where users can 'signup' by adding their name to the database. user_bad.rb doesn't sanitize the sql properly so we can signup as an admin.

user_bad.rb

require 'sqlite3'
require_relative 'user_db' # Setup user table

# Open a database
db = SQLite3::Database.new "test.db"

while true
  # Get user input.
  puts "Add user:"
  user_name = gets.strip

  # Store user in db.
  query = "insert into users VALUES ('#{user_name}', 0);"
  puts "Executing: #{query}"
  result = db.execute query

  puts "done."
end

user_db.rb

require 'sqlite3'

# Open a database
db = SQLite3::Database.new "test.db"

def destroy_table(db)
  db.execute "drop table users;"
end

def create_table(db)
  db.execute "create table users (name varchar(30), admin int);"
end

def insert_data(db)
  db.execute "insert into users VALUES ('regular joe', 0);"
  db.execute "insert into users VALUES ('admin', 1);"
end

destroy_table(db)
create_table(db)
insert_data(db)

user_good.rb

require 'sqlite3'
require_relative 'user_db' # Setup user table

# Open a database
db = SQLite3::Database.new "test.db"

while true
  # Get user input.
  puts "Add user:"
  user_name = gets.strip

  # Store user in db.
  # query = "insert into users VALUES ('#{user_name}', 0);"
  query = "insert into users VALUES (?, 0);"
  puts "Executing: #{query}"
  result = db.execute query, user_name

  puts "done."
end

# try typing: bad guy', 1);