From f62eb33c4bdff8dbd6345c0f73ba8822c63fa7e9 Mon Sep 17 00:00:00 2001 From: "rogan.dawes" Date: Wed, 25 Jul 2007 12:57:17 +0000 Subject: [PATCH] Commit Dave's fixes git-svn-id: http://webgoat.googlecode.com/svn/trunk@210 4033779f-a91e-0410-96ef-6bf7bf53c507 --- .../webgoat/lessons/SQLInjection/Login.java | 1 + .../lessons/SQLInjection/ViewProfile.java | 7 +++++-- .../SQLInjection/ViewProfile_i.java | 21 ++++++++++++++----- 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java index 7cdbf5c0b..cbad6f5df 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/Login.java @@ -1,5 +1,6 @@ package org.owasp.webgoat.lessons.SQLInjection; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java index 22f6b9fdf..c6ac1978a 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/ViewProfile.java @@ -1,5 +1,6 @@ package org.owasp.webgoat.lessons.SQLInjection; +import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; @@ -11,6 +12,7 @@ import org.owasp.webgoat.session.ParameterNotFoundException; import org.owasp.webgoat.session.UnauthenticatedException; import org.owasp.webgoat.session.UnauthorizedException; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.HtmlEncoder; /******************************************************************************* * @@ -107,8 +109,9 @@ public class ViewProfile extends DefaultLessonAction // Query the database for the profile data of the given employee try { - String query = "SELECT * FROM employee WHERE userid = " - + subjectUserId; + String query = "SELECT employee.* " + + "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " + + "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; try { diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java index 0ef1e3496..a7cb75020 100644 --- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java +++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/instructor/SQLInjection/ViewProfile_i.java @@ -9,6 +9,7 @@ import org.owasp.webgoat.lessons.SQLInjection.ViewProfile; import org.owasp.webgoat.session.Employee; import org.owasp.webgoat.session.UnauthorizedException; import org.owasp.webgoat.session.WebSession; +import org.owasp.webgoat.util.HtmlEncoder; /* Solution Summary: Edit ViewProfile.java and change getEmployeeProfile(). @@ -16,15 +17,22 @@ Solution Summary: Edit ViewProfile.java and change getEmployeeProfile(). Solution Steps: 1. Change dynamic query to parameterized query. - a. Replace the dynamic varaibles with the "?" - String query = "SELECT * FROM employee WHERE userid = ?"; + a. Replace the dynamic variables with the "?" + Old: String query = "SELECT employee.* " + + "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " + + "ownership.employer_id = " + userId + " and ownership.employee_id = " + subjectUserId; + + New: String query = "SELECT employee.* " + + "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " + + "ownership.employer_id = ? and ownership.employee_id = ?"; b. Create a preparedStatement using the new query PreparedStatement answer_statement = SQLInjection.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); c. Set the values of the parameterized query - answer_statement.setInt(1, Integer.parseInt(subjectUserId)); + answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX + answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX d. Execute the preparedStatement ResultSet answer_results = answer_statement.executeQuery(); @@ -47,13 +55,16 @@ public class ViewProfile_i extends ViewProfile try { - String query = "SELECT * FROM employee WHERE userid = ?"; // STAGE 4 - FIX + String query = "SELECT employee.* " + + "FROM employee,ownership WHERE employee.userid = ownership.employee_id and " + + "ownership.employer_id = ? and ownership.employee_id = ?"; try { PreparedStatement answer_statement = WebSession.getConnection(s).prepareStatement( query, ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY ); // STAGE 4 - FIX - answer_statement.setInt(1, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX + answer_statement.setInt(1, Integer.parseInt(userId)); // STAGE 4 - FIX + answer_statement.setInt(2, Integer.parseInt(subjectUserId)); // STAGE 4 - FIX ResultSet answer_results = answer_statement.executeQuery(); // STAGE 4 - FIX if (answer_results.next()) {