From 5921a0674717ea7a76f4e52197080c8bd47469eb Mon Sep 17 00:00:00 2001
From: Omniscimus <omni@omniscimus.net>
Date: Wed, 3 Oct 2018 09:30:30 +0200
Subject: [PATCH] Fix SQL injection mitigation answer (fixes #505)

You need to submit the IP of the webgoat-prd server, not just any of the IPs.
---
 .../owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
index b8237b8df..e54834121 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
@@ -33,7 +33,7 @@ public class SqlInjectionLesson12a extends AssignmentEndpoint {
     @SneakyThrows
     public AttackResult completed(@RequestParam String ip) {
         Connection connection = DatabaseUtilities.getConnection(webSession);
-        PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ?");
+        PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where hostname = 'webgoat-prd' and ip = ?");
         preparedStatement.setString(1, ip);
         ResultSet resultSet = preparedStatement.executeQuery();
         if (resultSet.next()) {