Fixed test for password
This commit is contained in:
mayhew64
@ -54,7 +54,7 @@ public class SqlInjectionLesson6b extends Assignment {
|
|||||||
|
|
||||||
@RequestMapping(method = RequestMethod.POST)
|
@RequestMapping(method = RequestMethod.POST)
|
||||||
public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
|
public @ResponseBody AttackResult completed(@RequestParam String userid_6b, HttpServletRequest request) throws IOException {
|
||||||
if (!userid_6b.toString().equals(getPassword())) {
|
if (userid_6b.toString().equals(getPassword())) {
|
||||||
return trackProgress(AttackResult.success());
|
return trackProgress(AttackResult.success());
|
||||||
} else {
|
} else {
|
||||||
return trackProgress(AttackResult.failed("You are close, try again"));
|
return trackProgress(AttackResult.failed("You are close, try again"));
|
||||||
@ -85,7 +85,7 @@ public class SqlInjectionLesson6b extends Assignment {
|
|||||||
|
|
||||||
if ((results != null) && (results.first() == true))
|
if ((results != null) && (results.first() == true))
|
||||||
{
|
{
|
||||||
password = results.getNString("password");
|
password = results.getString("password");
|
||||||
}
|
}
|
||||||
} catch (SQLException sqle)
|
} catch (SQLException sqle)
|
||||||
{
|
{
|
||||||
|
|||||||
@ -1,6 +1,8 @@
|
|||||||
== Immutable Queries
|
== Immutable Queries
|
||||||
|
|
||||||
=== Static queries?
|
These are the best defense against SQL Injection. They either do not have data that could get interpreted or the treat the data as a single entity that is bound to a column without interpretation.
|
||||||
|
|
||||||
|
=== Static Queries
|
||||||
-------------------------------------------------------
|
-------------------------------------------------------
|
||||||
select * from products;
|
select * from products;
|
||||||
-------------------------------------------------------
|
-------------------------------------------------------
|
||||||
@ -10,7 +12,6 @@ select * from users where user = "'" + session.getAttribute("UserID") + "'";
|
|||||||
-------------------------------------------------------
|
-------------------------------------------------------
|
||||||
|
|
||||||
=== Parameterized Queries
|
=== Parameterized Queries
|
||||||
|
|
||||||
-------------------------------------------------------
|
-------------------------------------------------------
|
||||||
String query = "SELECT * FROM users WHERE last_name = ?";
|
String query = "SELECT * FROM users WHERE last_name = ?";
|
||||||
PreparedStatement statement = connection.prepareStatement(query);
|
PreparedStatement statement = connection.prepareStatement(query);
|
||||||
@ -19,5 +20,4 @@ ResultSet results = statement.executeQuery();
|
|||||||
-------------------------------------------------------
|
-------------------------------------------------------
|
||||||
|
|
||||||
=== Stored Procedures
|
=== Stored Procedures
|
||||||
|
|
||||||
Only if stored procedure does not generate dynamic SQL
|
Only if stored procedure does not generate dynamic SQL
|
||||||
|
|||||||
Reference in New Issue
Block a user