display query string to user after success, added hints

ldebug · Mar 26, 2019 · 7c32232 · 7c32232
1 parent 2be2de8
commit 7c32232
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/...ql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java b/...ql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson2.java
@@ -46,7 +46,7 @@
  * @created October 28, 2003
  */
 @AssignmentPath("/SqlInjection/attack2")
-@AssignmentHints(value = {"SqlStringInjectionHint2-1", "SqlStringInjectionHint2-2"})
+@AssignmentHints(value = {"SqlStringInjectionHint2-1", "SqlStringInjectionHint2-2", "SqlStringInjectionHint2-3", "SqlStringInjectionHint2-4"})
 public class SqlInjectionLesson2 extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST)
@@ -68,9 +68,9 @@ protected AttackResult injectableQuery(String _query) {
                 StringBuffer output = new StringBuffer();
 
                 results.first();
-                // user completes lesson if department is "Marketing"
-                // what if other employee with same dept is result?
+
                 if (results.getString("department").equals("Marketing")) {
+                    output.append("<span class='feedback-positive'>" + _query + "</span>");
                     output.append(SqlInjectionLesson8.generateTable(results));
                     return trackProgress(success().feedback("sql-injection.2.success").output(output.toString()).build());
                 } else {

diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@@ -14,6 +14,8 @@ sql-injection.2.success=<span class='feedback-positive'>You have succeeded!</spa
 sql-injection.2.failed=<span class='feedback-negative'>Something went wrong! You got no results, check your SQL Statement and the table above.</span>
 SqlStringInjectionHint2-1=You want the data from the column with the name department. You know the database name (employees) and you know the first- and lastname of the employee (first_name, last_name).
 SqlStringInjectionHint2-2=SELECT column FROM tablename WHERE condition;
+SqlStringInjectionHint2-3=Use ' instead of " when comparing two strings.
+SqlStringInjectionHint2-4=Pay attention to case sensitivity when comparing two strings.
 
 SqlStringInjectionHint3-1=Try the UPDATE statement
 SqlStringInjectionHint3-2=UPDATE tablename SET columnname=value WHERE condition;