Fixed test for password
This commit is contained in:
@ -54,7 +54,7 @@ public class SqlInjectionLesson6b extends Assignment {
|
||||
|
||||
@RequestMapping(method = RequestMethod.POST)
|
||||
public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
|
||||
if (!userid_6b.toString().equals(getPassword())) {
|
||||
if (userid_6b.toString().equals(getPassword())) {
|
||||
return trackProgress(AttackResult.success());
|
||||
} else {
|
||||
return trackProgress(AttackResult.failed("You are close, try again"));
|
||||
@ -85,7 +85,7 @@ public class SqlInjectionLesson6b extends Assignment {
|
||||
|
||||
if ((results != null) && (results.first() == true))
|
||||
{
|
||||
password = results.getNString("password");
|
||||
password = results.getString("password");
|
||||
}
|
||||
} catch (SQLException sqle)
|
||||
{
|
||||
|
@ -1,6 +1,8 @@
|
||||
== Immutable Queries
|
||||
|
||||
=== Static queries?
|
||||
These are the best defense against SQL Injection. They either do not have data that could get interpreted or the treat the data as a single entity that is bound to a column without interpretation.
|
||||
|
||||
=== Static Queries
|
||||
-------------------------------------------------------
|
||||
select * from products;
|
||||
-------------------------------------------------------
|
||||
@ -10,7 +12,6 @@ select * from users where user = "'" + session.getAttribute("UserID") + "'";
|
||||
-------------------------------------------------------
|
||||
|
||||
=== Parameterized Queries
|
||||
|
||||
-------------------------------------------------------
|
||||
String query = "SELECT * FROM users WHERE last_name = ?";
|
||||
PreparedStatement statement = connection.prepareStatement(query);
|
||||
@ -19,5 +20,4 @@ ResultSet results = statement.executeQuery();
|
||||
-------------------------------------------------------
|
||||
|
||||
=== Stored Procedures
|
||||
|
||||
Only if stored procedure does not generate dynamic SQL
|
||||
|
Reference in New Issue
Block a user