added a sql injection vulnerability

2013-06-03 02:19:36 -04:00
parent 2ac771ca50
commit 6528b56de6
1 changed files with 2 additions and 1 deletions
@@ -23,7 +23,8 @@ class UsersController < ApplicationController
  end
  
  def account_settings
-    @user = current_user
+    #@user = current_user
+    @user = User.find(:first, :conditions => "user_id = '#{params[:user_id]}'")
  end
  
  def update