Added sqli in login field.

2019-02-22 12:31:08 +00:00 · 2019-02-22 12:31:08 +00:00 · 3a9639cbdf
parent 1bfbfa1291
commit 3a9639cbdf
1 changed files with 1 additions and 1 deletions
--- a/app/controllers/user_sessions_controller.rb
+++ b/app/controllers/user_sessions_controller.rb
@ -1,6 +1,6 @@
 class UserSessionsController < ApplicationController
  def create
-    @user = User.find_by :login => user_session_params[:login], :password => Digest::MD5.hexdigest(user_session_params[:password])
+    @user = User.where("users.login = '#{user_session_params[:login]}' AND users.password = '#{Digest::MD5.hexdigest(user_session_params[:password])}'").first
    if @user
      @user.session = SecureRandom.hex
      @user.save