CommencerCommencer gratuitement

Hacking the statements

CityBook Libraries is developing a search feature that allows users to look up books by title. You're concerned about system security, so you've decided to test it against SQL injection attacks.

Validate if you can retrieve unauthorized data using SQL injection. The HikariSetup class is already configured.

Cet exercice fait partie du cours

Querying a PostgreSQL Database in Java

Afficher le cours

Instructions

  • Change titleParameter to inject a condition that will allow reading all books.

Exercice interactif pratique

Essayez cet exercice en complétant cet exemple de code.

public class Main {
    public static void main(String[] args) throws SQLException {
        HikariDataSource ds = HikariSetup.createDataSource();

		// Change the title to inject a condition that will allow reading all books
        String titleParameter = "To Kill a Mockingbird";

        String query = "SELECT * FROM books WHERE title = '" +  titleParameter + "'";

        try (Connection conn = ds.getConnection()) {
            Statement stmt = conn.createStatement();
            ResultSet rs = stmt.executeQuery(query);
            while (rs.next()) {
                System.out.printf("ID: %d, Title: %s (%d)%n", rs.getInt("book_id"), rs.getString("title"), rs.getInt("publication_year"));
            }
        }
    }
}
Modifier et exécuter le code