[Owasp-ireland] OWASP Ireland 2010 Countdown: Third Challenge Winner

Fabio Cerullo fcerullo at owasp.org
Mon Aug 30 08:20:11 EDT 2010


Congratulations to *Niall Jordan *on answering the challenge question
correctly... you are coming to OWASP Ireland 2010 for FREE!!!

*String uN = ctx.getAuthenticatedUserName();
String paramName = request.getParameter("paramName");
String query = "SELECT * FROM items WHERE owner = '"  + uN + "' AND
paramName = '" + paramName + "'";

ResultSet rs = stmt.execute(query);*
*
*
*1. What is the fundamental issue with this construct?*
Answer: The code dynamically constructs and executes a SQL query. Better off
using a parameterised SQL.
*http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection*<http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection>

*2. What is the potential vulnerability?*
Answer: SQL Injection

Thanks to all those who submitted an answer and until the next & final
challenge on Friday 10th September!

Remember, if you *register before 3rd September* you are in a chance to win
a fantastic training provided by New Horizons Ireland!

More info here:

*6460 Visual Studio 2008 Connected Systems: Windows Presentation Foundation*
*
*
http://www.newhorizons.com/LocalWeb/popup/ClassInfo.aspx?ClassID=300003490&ILT=300003490&OLA=&OLL=&ML=&GroupID=462&Mode=3&scheduleclassid=MSM6460


Fabio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20100830/57242fc4/attachment.html 


More information about the Owasp-ireland mailing list