Hacking the statements
CityBook Libraries is developing a search feature that allows users to look up books by title. You're concerned about system security, so you've decided to test it against SQL injection attacks.
Validate if you can retrieve unauthorized data using SQL injection. The HikariSetup class is already configured.
Este ejercicio forma parte del curso
Querying a PostgreSQL Database in Java
Instrucciones del ejercicio
- Change
titleParameterto inject a condition that will allow reading all books.
Ejercicio interactivo práctico
Prueba este ejercicio y completa el código de muestra.
public class Main {
public static void main(String[] args) throws SQLException {
HikariDataSource ds = HikariSetup.createDataSource();
// Change the title to inject a condition that will allow reading all books
String titleParameter = "To Kill a Mockingbird";
String query = "SELECT * FROM books WHERE title = '" + titleParameter + "'";
try (Connection conn = ds.getConnection()) {
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(query);
while (rs.next()) {
System.out.printf("ID: %d, Title: %s (%d)%n", rs.getInt("book_id"), rs.getString("title"), rs.getInt("publication_year"));
}
}
}
}