[Owasp-ireland] OWASP Ireland 2010 Countdown: Third Challenge Winner
fcerullo at owasp.org
Mon Aug 30 08:20:11 EDT 2010
Congratulations to *Niall Jordan *on answering the challenge question
correctly... you are coming to OWASP Ireland 2010 for FREE!!!
*String uN = ctx.getAuthenticatedUserName();
String paramName = request.getParameter("paramName");
String query = "SELECT * FROM items WHERE owner = '" + uN + "' AND
paramName = '" + paramName + "'";
ResultSet rs = stmt.execute(query);*
*1. What is the fundamental issue with this construct?*
Answer: The code dynamically constructs and executes a SQL query. Better off
using a parameterised SQL.
*2. What is the potential vulnerability?*
Answer: SQL Injection
Thanks to all those who submitted an answer and until the next & final
challenge on Friday 10th September!
Remember, if you *register before 3rd September* you are in a chance to win
a fantastic training provided by New Horizons Ireland!
More info here:
*6460 Visual Studio 2008 Connected Systems: Windows Presentation Foundation*
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-ireland