Learn SQL Injection by Ethically Hacking a Rails App

How bad actors might inject SQL to access private information

SQL injection allows a hacker to access private information in a database. This could be as benign as emails, or as sensitive as credit card information.

Most software frameworks have best practices preventing this but in the cowboy coding world of startups, this vulnerability exists in more apps than you’d think.

The best way to avoid SQL injection is to know how to do it. Let’s build a Rails app then hack it ourselves!

This Tutorial Has Three Parts

1. SQL injection overview.
2. Building a vulnerable Rails app.
3. Hacking the app.

Part three relies on building the app in part two but you can skip to the last section if you just want to look at injection examples.

1. SQL Injection Overview

What is SQL injection?

SQL injection is inserting SQL into an input field that gets run directly on the database.

This is permitted (unintentionally) when an app interpolates user input directly into an SQL query on the back end.