Fix SQL injection mitigation answer (fixes #505)

You need to submit the IP of the webgoat-prd server, not just any of the IPs.
2018-10-03 09:30:30 +02:00 · 2018-10-03 09:30:30 +02:00 · 5921a06747
commit 5921a06747
parent 3536fd0b6d
1 changed files with 1 additions and 1 deletions
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
@ -33,7 +33,7 @@ public class SqlInjectionLesson12a extends AssignmentEndpoint {
    @SneakyThrows
    public AttackResult completed(@RequestParam String ip) {
        Connection connection = DatabaseUtilities.getConnection(webSession);
-        PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ?");
+        PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where hostname = 'webgoat-prd' and ip = ?");
        preparedStatement.setString(1, ip);
        ResultSet resultSet = preparedStatement.executeQuery();
        if (resultSet.next()) {