ComeçarComece de graça

Hacking the statements

CityBook Libraries is developing a search feature that allows users to look up books by title. You're concerned about system security, so you've decided to test it against SQL injection attacks.

Validate if you can retrieve unauthorized data using SQL injection. The HikariSetup class is already configured.

Este exercício faz parte do curso

Querying a PostgreSQL Database in Java

Ver curso

Instruções do exercício

  • Change titleParameter to inject a condition that will allow reading all books.

Exercício interativo prático

Experimente este exercício completando este código de exemplo.

public class Main {
    public static void main(String[] args) throws SQLException {
        HikariDataSource ds = HikariSetup.createDataSource();

		// Change the title to inject a condition that will allow reading all books
        String titleParameter = "To Kill a Mockingbird";

        String query = "SELECT * FROM books WHERE title = '" +  titleParameter + "'";

        try (Connection conn = ds.getConnection()) {
            Statement stmt = conn.createStatement();
            ResultSet rs = stmt.executeQuery(query);
            while (rs.next()) {
                System.out.printf("ID: %d, Title: %s (%d)%n", rs.getInt("book_id"), rs.getString("title"), rs.getInt("publication_year"));
            }
        }
    }
}
Editar e executar o código