From 14c1fb367d83f7b59e1a96c74521d4f528f6dd53 Mon Sep 17 00:00:00 2001
From: Ken Johnson <cktricky@Kens-MacBook-Pro.local>
Date: Wed, 10 Jul 2013 20:42:04 -0400
Subject: [PATCH] added a tutorial for command injection

---
 app/models/benefits.rb                                 |  7 +++++++
 .../tutorial/injection/_injection_command.html.erb     | 10 +++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/app/models/benefits.rb b/app/models/benefits.rb
index cebbdc4..92bbdf3 100644
--- a/app/models/benefits.rb
+++ b/app/models/benefits.rb
@@ -12,6 +12,13 @@ class Benefits < ActiveRecord::Base
  
  def self.make_backup(file, data_path, full_file_name)
    system("cp #{full_file_name} #{data_path}/bak#{Time.now.to_i}_#{file.original_filename}")
+   # FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.now.to_i}_#{file.original_filename}"
  end
+
+=begin 
+ def self.make_backup(file, data_path, full_file_name)
+   FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.now.to_i}_#{file.original_filename}"
+ end
+=end 
  
 end
diff --git a/app/views/layouts/tutorial/injection/_injection_command.html.erb b/app/views/layouts/tutorial/injection/_injection_command.html.erb
index 5f1c14a..c53fa77 100644
--- a/app/views/layouts/tutorial/injection/_injection_command.html.erb
+++ b/app/views/layouts/tutorial/injection/_injection_command.html.erb
@@ -124,8 +124,16 @@
 			   </pre>
 			   <p><b>SQL Injection - SOLUTION</b></p>
 			   <p class="desc">
-				The solution is fairly simple and because this is so poorly done there are numerous ways to fix the vulnerability. One option, is to abstract a file creation method and pass it options such as the path and filename, then call it twice, once for the initial upload and another for the backup. Another option is to make a copy through the use of the 
+				The solution is fairly simple and because this is so poorly done there are numerous ways to fix the vulnerability. One option, is to abstract a file creation method and pass it options such as the path and filename, then call it twice, once for the initial upload and another for the backup. Another option is to make a copy through the use of the FileUtils. 
 			   </p>
+			   <p>
+				As an example:
+			   </p>	
+			   <pre class="ruby"> 
+					def self.make_backup(file, data_path, full_file_name)
+					   FileUtils.cp "#{full_file_name}", "#{data_path}/bak#{Time.now.to_i}_#{file.original_filename}"
+					 end
+			   </pre>	
             </div>
           </div>
         </div>