Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

This example of SQL Injection also happens to be a form of Insecure Direct Object Reference since it uses user-supplied input to determine the user's profile to update. However, we will discuss the SQL query being used and why it is vulnerable.

Within app/controllers/users_controller.rb

def update
  message = false
  user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
  user.skip_user_id_assign = true
  user.update_attributes(params[:user].reject { |k| k == ("password" || "password_confirmation") || "user_id" })
  pass = params[:user][:password]
  user.password = pass if !(pass.blank?)
  message = true if user.save!
  respond_to do |format|
    format.html { redirect_to user_account_settings_path(:user_id => current_user.user_id) }
    format.json { render :json => {:msg => message ? "success" : "false "} }
  end
end

#Hint

I wonder who else's account needs updating?