From b06fb72a743dbd6a5272aadb7047a98be4db9b5a Mon Sep 17 00:00:00 2001 From: Nanne Baars Date: Tue, 25 Jul 2017 17:40:55 +0200 Subject: [PATCH] Fixed typo --- .../resources/lessonPlans/en/SqlInjection_content12a.adoc | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc index 88d1a4f4c..e34480675 100644 --- a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc +++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_content12a.adoc @@ -1,6 +1,6 @@ == Order by clause -Question: Does a preparared statement always prevent against an SQL injection? +Question: Does a prepared statement always prevent against an SQL injection? Answer: No it does not Let's take a look at the following statement: @@ -30,12 +30,11 @@ selectExpression: Based on HSQLDB ---- -This means an `orderExpression` van be a `selectExpression` which can be a function as well, so for example with +This means an `orderExpression` can be a `selectExpression` which can be a function as well, so for example with a `case` statement we might be able to ask the database some questions, like: ---- -select * from users order by - (select case when (true) then lastname else firstname) +select * from users order by (case when (true) then lastname else firstname) ---- So we can substitute any kind of boolean operation in the `when(....)` part. The statement will just work because