removes user_id column from User model to use idiomatic Rails automatic IDs

spec/vulnerabilities/sql_injection_spec.rb

@@ -4,8 +4,9 @@ require "spec_helper"
 feature "sql injection" do
   before(:each) do
     UserFixture.reset_all_users
+
     @normal_user = UserFixture.normal_user
-    @admin_user = User.where("admin='t'").first
+    @admin_user = UserFixture.admin_user
   end
 
   scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do
@@ -13,14 +14,15 @@ feature "sql injection" do
 
     login(@normal_user)
 
-    visit "/users/#{@normal_user.user_id}/account_settings"
-    within("#account_edit") do
-      fill_in "Email", with: "joe.admin@schmoe.com"
-      fill_in "user_password", with: "H4cketyhack"
-      fill_in "user_password_confirmation", with: "H4cketyhack"
+    visit "/users/#{@normal_user.id}/account_settings"
+
+    within('#account_edit') do
+      fill_in 'Email', :with => 'joe.admin@schmoe.com'
+      fill_in 'user_password', :with => 'H4cketyhack'
+      fill_in 'user_password_confirmation', :with => 'H4cketyhack'
 
       # this is a hidden field, so cannot use fill_in to access it.
-      find(:xpath, "//input[@id='user_user_id']", visible: false).set "8' OR admin='t') --"
+      find(:xpath, "//input[@id='user_id']", :visible => false).set "8' OR admin='t') --"
     end
     click_on "Submit"