dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

#839: fix the SQL statement as this one does not express that the orderBy clause input is user input

Browse Source
This commit is contained in:
Nanne Baars 2020-10-22 21:34:05 +02:00 committed by Nanne Baars
parent dac011db78
commit 7b8523dcab
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc
View File

@ -6,7 +6,7 @@ Answer: No it does not
Let us take a look at the following statement:
----
SELECT * FROM users ORDER BY lastname;
"SELECT * FROM users ORDER BY " + sortColumName + ";"
----
If we look at the specification of the SQL grammar the definition is as follows:
@ -44,4 +44,4 @@ expression.
=== Mitigation
If you need to provide a sorting column in your web application you should implement a whitelist to validate the value
of the `order by` statement it should always be limited to something like 'firstname' or 'lastname'.
of the `order by` statement it should always be limited to something like 'first name' or 'last name'.