From 641d75e734fef41fa83e0570e616a01ddfc29f87 Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 20 Oct 2020 22:00:29 +0200 Subject: [PATCH] Link to the original lesson for the goal --- .../resources/lessonPlans/en/SqlInjection_content12a.adoc | 4 +++- .../resources/lessonPlans/en/SqlInjection_content12b.adoc | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc index 959459408..7c06661d1 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc @@ -2,10 +2,12 @@ You need to do both use parametrized queries and validate the input received from the user. On StackOverflow you will see alot of answers stating that input validation is enough. *However* it only takes you so far before you know it -the validation is broken and you have an SQL injection in your application. +the validation is broken, and you have an SQL injection in your application. A nice read why it is not enough can be found https://twitter.com/marcan42/status/1238004834806067200?s=21 Let's repeat one of the previous assignments, the developer fixed the possible SQL injection with filtering, can you spot the weakness in this approach? +Read about the lesson goal link:start.mvc#lesson/SqlInjectionAdvanced.lesson/2[here]. + diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12b.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12b.adoc index 41207c3da..f0c1dd0ca 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12b.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12b.adoc @@ -3,5 +3,6 @@ So the last attempt to validate if the query did not contain any spaces failed, the development team went further into the direction of only performing input validation, can you find out where it went wrong this time? +Read about the lesson goal link:start.mvc#lesson/SqlInjectionAdvanced.lesson/2[here].