display query string to user after success, added hints
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							2be2de8ce1
						
					
				
				
					commit
					7c32232faa
				
			| @ -46,7 +46,7 @@ import java.sql.*; | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjection/attack2") | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint2-1", "SqlStringInjectionHint2-2"}) | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint2-1", "SqlStringInjectionHint2-2", "SqlStringInjectionHint2-3", "SqlStringInjectionHint2-4"}) | ||||
| public class SqlInjectionLesson2 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
| @ -68,9 +68,9 @@ public class SqlInjectionLesson2 extends AssignmentEndpoint { | ||||
|                 StringBuffer output = new StringBuffer(); | ||||
|  | ||||
|                 results.first(); | ||||
|                 // user completes lesson if department is "Marketing" | ||||
|                 // what if other employee with same dept is result? | ||||
|  | ||||
|                 if (results.getString("department").equals("Marketing")) { | ||||
|                     output.append("<span class='feedback-positive'>" + _query + "</span>"); | ||||
|                     output.append(SqlInjectionLesson8.generateTable(results)); | ||||
|                     return trackProgress(success().feedback("sql-injection.2.success").output(output.toString()).build()); | ||||
|                 } else { | ||||
|  | ||||
| @ -14,6 +14,8 @@ sql-injection.2.success=<span class='feedback-positive'>You have succeeded!</spa | ||||
| sql-injection.2.failed=<span class='feedback-negative'>Something went wrong! You got no results, check your SQL Statement and the table above.</span> | ||||
| SqlStringInjectionHint2-1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name). | ||||
| SqlStringInjectionHint2-2=SELECT column FROM tablename WHERE condition; | ||||
| SqlStringInjectionHint2-3=Use ' instead of " when comparing two strings. | ||||
| SqlStringInjectionHint2-4=Pay attention to case sensitivity when comparing two strings. | ||||
|  | ||||
| SqlStringInjectionHint3-1=Try the UPDATE statement | ||||
| SqlStringInjectionHint3-2=UPDATE tablename SET columnname=value WHERE condition; | ||||
|  | ||||
		Reference in New Issue
	
	Block a user