Fix SQL injection mitigation answer (fixes WebGoat#505)

You need to submit the IP of the webgoat-prd server, not just any of the IPs.
ZhenyiZhao · Nov 19, 2018 · 5921a06 · 5921a06
1 parent 3536fd0
commit 5921a06
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/...ql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java b/...ql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson12a.java
@@ -33,7 +33,7 @@ public class SqlInjectionLesson12a extends AssignmentEndpoint {
     @SneakyThrows
     public AttackResult completed(@RequestParam String ip) {
         Connection connection = DatabaseUtilities.getConnection(webSession);
-        PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where ip = ?");
+        PreparedStatement preparedStatement = connection.prepareStatement("select ip from servers where hostname = 'webgoat-prd' and ip = ?");
         preparedStatement.setString(1, ip);
         ResultSet resultSet = preparedStatement.executeQuery();
         if (resultSet.next()) {