# Vulnerable: user input is concatenated directly into SQL.
email = params[:email]
password = params[:password]
sql = "SELECT * FROM users WHERE email = '#{email}' AND password_hash = '#{password}'"
user = ActiveRecord::Base.connection.execute(sql).first
<h1><%= @post.title %></h1>
<p><%= @post.author_name %></p>
<%# Only sanitized rich text should be rendered as HTML %>
<div class="prose"><%= sanitize(@post.body_html, tags: %w[p a ul ol li strong em code], attributes: %w[href]) %></div>
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off
SecRule ARGS|REQUEST_HEADERS|XML:/* "@detectSQLi" \
"id:1001,phase:2,deny,status:403,log,msg:'Potential SQLi detected'"
require 'ipaddr'
require 'resolv'
uri = URI.parse(params[:url])
allowed_hosts = %w[images.example-cdn.com api.partner.com]