From 59c96f98907c09bea5bd74c2978f4310d10fe231 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Mon, 29 Mar 2021 11:02:50 +0200 Subject: [PATCH] Fix lesson it no marks it as solved if the user uses a different username --- .../sql_injection/advanced/SqlInjectionChallengeLogin.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java index b52531709..dc12530aa 100644 --- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java +++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/sql_injection/advanced/SqlInjectionChallengeLogin.java @@ -48,14 +48,14 @@ public class SqlInjectionChallengeLogin extends AssignmentEndpoint { @ResponseBody public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception { try (var connection = dataSource.getConnection()) { - PreparedStatement statement = connection.prepareStatement("select password from sql_challenge_users where userid = ? and password = ?"); + var statement = connection.prepareStatement("select password from sql_challenge_users where userid = ? and password = ?"); statement.setString(1, username_login); statement.setString(2, password_login); - ResultSet resultSet = statement.executeQuery(); + var resultSet = statement.executeQuery(); if (resultSet.next()) { return ("tom".equals(username_login)) ? success(this).build() - : success(this).feedback("ResultsButNotTom").build(); + : failed(this).feedback("ResultsButNotTom").build(); } else { return failed(this).feedback("NoResultsMatched").build(); }