Hacking the statements
CityBook Libraries is developing a search feature that allows users to look up books by title. You're concerned about system security, so you've decided to test it against SQL injection attacks.
Validate if you can retrieve unauthorized data using SQL injection. The HikariSetup class is already configured.
Diese Übung ist Teil des Kurses
Querying a PostgreSQL Database in Java
Anleitung zur Übung
- Change
titleParameterto inject a condition that will allow reading all books.
Interaktive Übung
Vervollständige den Beispielcode, um diese Übung erfolgreich abzuschließen.
public class Main {
public static void main(String[] args) throws SQLException {
HikariDataSource ds = HikariSetup.createDataSource();
// Change the title to inject a condition that will allow reading all books
String titleParameter = "To Kill a Mockingbird";
String query = "SELECT * FROM books WHERE title = '" + titleParameter + "'";
try (Connection conn = ds.getConnection()) {
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(query);
while (rs.next()) {
System.out.printf("ID: %d, Title: %s (%d)%n", rs.getInt("book_id"), rs.getString("title"), rs.getInt("publication_year"));
}
}
}
}