added hints to sql injection assignment 4 & 5, minor text changes to be consistent to other assignments
This commit is contained in:
		
				
					committed by
					
						 Nanne Baars
						Nanne Baars
					
				
			
			
				
	
			
			
			
						parent
						
							0098f07d00
						
					
				
				
					commit
					90da672be2
				
			| @ -46,7 +46,7 @@ import java.sql.*; | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjection/attack4") | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint4a1", "SqlStringInjectionHint4a2"}) | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint4a1", "SqlStringInjectionHint4a2", "SqlStringInjectionHint4a3"}) | ||||
| public class SqlInjectionLesson4 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|  | ||||
| @ -46,7 +46,7 @@ import java.sql.*; | ||||
|  * @created October 28, 2003 | ||||
|  */ | ||||
| @AssignmentPath("/SqlInjection/attack5") | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint5a1", "SqlStringInjectionHint5a2"}) | ||||
| @AssignmentHints(value = {"SqlStringInjectionHint5a1"}) | ||||
| public class SqlInjectionLesson5 extends AssignmentEndpoint { | ||||
|  | ||||
|     @RequestMapping(method = RequestMethod.POST) | ||||
|  | ||||
| @ -33,6 +33,10 @@ SqlStringInjectionHint2a1=You want the data from the column with the name depart | ||||
| SqlStringInjectionHint2a2=SELECT column FROM tablename WHERE condition; | ||||
| SqlStringInjectionHint3a1=Try the UPDATE statement | ||||
| SqlStringInjectionHint3a2=UPDATE tablename SET columnname=value WHERE condition; | ||||
| SqlStringInjectionHint4a1=ALTER TABLE alters the structure of an existing database | ||||
| SqlStringInjectionHint4a2=Don't forget the data type of the new column (e.g. varchar(size) or int(size)) | ||||
| SqlStringInjectionHint4a3=ALTER TABLE tablename ADD columnname data type(size); | ||||
| SqlStringInjectionHint5a1=Look at the example. There's everything you'll need. | ||||
| SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query. | ||||
| SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT ... FROM ... | ||||
| SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- " | ||||
|  | ||||
| @ -12,10 +12,10 @@ If an attacker uses a SQL injection of the DML type to manipulate your database, | ||||
| * DELETE - Delete all records from a database table | ||||
| * Example: | ||||
| ** Retrieve data: | ||||
| ** SELECT Phone  + | ||||
|    FROM Employees + | ||||
|    WHERE IdNum = 1354; | ||||
| ** This statement delivers the phone number of the employee with the number 1354. | ||||
| ** SELECT phone  + | ||||
|    FROM employees + | ||||
|    WHERE userid = 96134; | ||||
| ** This statement delivers the phone number of the employee with the userid 96134. | ||||
|  | ||||
| === It's your turn! | ||||
| Try to change the department of Tobi Barnett to 'Sales'. | ||||
|  | ||||
| @ -10,7 +10,7 @@ If an attacker uses a SQL injection of the DDL type to manipulate your database, | ||||
| * ALTER - alters the structure of the existing database | ||||
| * DROP - delete objects from the database | ||||
| * Example: | ||||
| ** CREATE TABLE Employees( + | ||||
| ** CREATE TABLE employees( + | ||||
|        userid varchar(6) not null primary key, + | ||||
|        first_name varchar(20), + | ||||
|        last_name varchar(20), + | ||||
|  | ||||
		Reference in New Issue
	
	Block a user