improved the description of the new sql injection mitigation assignments

2018-11-03 16:35:52 +01:00
parent d2a2716a9a
commit 083eb1b567
4 changed files with 18 additions and 35 deletions
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@ -25,6 +25,11 @@ SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT
 SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- "
 SqlStringInjectionHint9=Try sorting and look at the request
 SqlStringInjectionHint10=Intercept the request and try to specify a different order by
+SqlStringInjectionHint10a1=First establish a connection, after that you can create a statement.
+SqlStringInjectionHint10a2=For every datatype there is a method to insert values into a wildcard symbol in a statement.
+SqlStringInjectionHint10b1=A database connection has to be surrounded by a try-catch block to handle the very common case of an error while establishing the connection!
+SqlStringInjectionHint10b2=Remember to use the right kind of statement, so your code is no longer vulnerable for SQL-Injections!
+SqlStringInjectionHint10b3=The wildcard-symbol '?' in a prepared statement can be filled with the right kind of method. There exists one for every datatype!
 SqlStringInjectionHint11=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens
 SqlStringInjectionHint12=Use for example "(case when (true) then hostname else id end)" in the order by and see what happens