[Owasp-ireland] OWASP Ireland 2010 Countdown: Third Challenge Winner

Fabio Cerullo fcerullo at owasp.org
Mon Aug 30 08:20:11 EDT 2010

Congratulations to *Niall Jordan *on answering the challenge question
correctly... you are coming to OWASP Ireland 2010 for FREE!!!

*String uN = ctx.getAuthenticatedUserName();
String paramName = request.getParameter("paramName");
String query = "SELECT * FROM items WHERE owner = '"  + uN + "' AND
paramName = '" + paramName + "'";

ResultSet rs = stmt.execute(query);*
*1. What is the fundamental issue with this construct?*
Answer: The code dynamically constructs and executes a SQL query. Better off
using a parameterised SQL.

*2. What is the potential vulnerability?*
Answer: SQL Injection

Thanks to all those who submitted an answer and until the next & final
challenge on Friday 10th September!

Remember, if you *register before 3rd September* you are in a chance to win
a fantastic training provided by New Horizons Ireland!

More info here:

*6460 Visual Studio 2008 Connected Systems: Windows Presentation Foundation*

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20100830/57242fc4/attachment.html 

More information about the Owasp-ireland mailing list