From 7b8523dcab0d77f9767d9d54298ebce7fbc7f952 Mon Sep 17 00:00:00 2001
From: Nanne Baars <nanne.baars@owasp.org>
Date: Thu, 22 Oct 2020 21:34:05 +0200
Subject: [PATCH] #839: fix the SQL statement as this one does not express that
 the `orderBy` clause input is user input

---
 .../main/resources/lessonPlans/en/SqlInjection_content13.adoc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc
index 52c8983bf..22e79ab66 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content13.adoc
@@ -6,7 +6,7 @@ Answer: No it does not
 Let us take a look at the following statement:
 
 ----
-SELECT * FROM users ORDER BY lastname;
+"SELECT * FROM users ORDER BY " + sortColumName + ";"
 ----
 
 If we look at the specification of the SQL grammar the definition is as follows:
@@ -44,4 +44,4 @@ expression.
 === Mitigation
 
 If you need to provide a sorting column in your web application you should implement a whitelist to validate the value
-of the `order by` statement it should always be limited to something like 'firstname' or 'lastname'.
+of the `order by` statement it should always be limited to something like 'first name' or 'last name'.