From f091e21c605f7ebf52d9de4fd5721fd13b857d90 Mon Sep 17 00:00:00 2001
From: mayhew64 <mayhew64@yahoo.com>
Date: Wed, 16 Nov 2016 16:18:22 -0500
Subject: [PATCH] Fixed test for password

---
 .../java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java | 4 ++--
 .../SqlInjection/lessonPlans/en/SqlInjection_content7.adoc  | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java
index 2e57cb3d8..d00d1e19a 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/SqlInjectionLesson6b.java
@@ -54,7 +54,7 @@ public class SqlInjectionLesson6b extends Assignment {
 
 	@RequestMapping(method = RequestMethod.POST)
 	public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
-	    if (!userid_6b.toString().equals(getPassword())) {
+	    if (userid_6b.toString().equals(getPassword())) {
 	        return trackProgress(AttackResult.success());
 	    } else {
 	        return trackProgress(AttackResult.failed("You are close, try again"));
@@ -85,7 +85,7 @@ public class SqlInjectionLesson6b extends Assignment {
 
                 if ((results != null) && (results.first() == true))
                 {
-                    password = results.getNString("password");
+                    password = results.getString("password");
                 }
             } catch (SQLException sqle)
             {
diff --git a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content7.adoc b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content7.adoc
index 68cbbdbdf..ad9cf05b1 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content7.adoc
+++ b/webgoat-lessons/sql-injection/src/main/resources/plugin/SqlInjection/lessonPlans/en/SqlInjection_content7.adoc
@@ -1,6 +1,8 @@
 == Immutable Queries
 
-=== Static queries?
+These are the best defense against SQL Injection.  They either do not have data that could get interpreted or the treat the data as a single entity that is bound to a column without interpretation.
+
+=== Static Queries
 -------------------------------------------------------
 select * from products;
 -------------------------------------------------------
@@ -10,7 +12,6 @@ select * from users where user = "'" + session.getAttribute("UserID") + "'";
 -------------------------------------------------------
 
 === Parameterized Queries
-
 -------------------------------------------------------
 String query = "SELECT * FROM users WHERE last_name = ?";
 PreparedStatement statement = connection.prepareStatement(query);
@@ -19,5 +20,4 @@ ResultSet results = statement.executeQuery();
 -------------------------------------------------------
 
 === Stored Procedures
-
 Only if stored procedure does not generate dynamic SQL