# Vulnerable: user input is concatenated directly into SQL.
email = params[:email]
password = params[:password]
sql = "SELECT * FROM users WHERE email = '#{email}' AND password_hash = '#{password}'"
user = ActiveRecord::Base.connection.execute(sql).first
import psycopg
with psycopg.connect(conninfo) as connection:
with connection.cursor() as cursor:
cursor.execute(
'SELECT id, email FROM users WHERE email = %s',
class ReportQuery
SQL = <<~SQL.freeze
SELECT date_trunc('day', events.created_at) AS day,
count(*) AS total,
count(*) FILTER (WHERE events.kind = 'purchase') AS purchases
FROM events
#!/usr/bin/env bash
sqlmap \
-r login-request.txt \
--risk=2 \
--level=3 \
--batch \