Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL Injection (mitigation) Order by clause confusing #839

Closed
dovecode opened this issue Jun 19, 2020 · 1 comment
Closed

SQL Injection (mitigation) Order by clause confusing #839

dovecode opened this issue Jun 19, 2020 · 1 comment
Assignees
@nbaars
Labels
4 - Done
Milestone
8.2.0

Comments

@dovecode
Copy link

I think this lesson is trying to say not to inject parameters into the ORDER BY clause. However, it doesn't:

image

I mean, that's perfectly fine. lastname isn't a parameter, it's a literal.

I think what the author meant was that something like this is bad:

query = "SELECT * FROM users ORDER BY "+sortColumName+";";

if sortColumnName is user input.
nbaars added a commit that referenced this issue Oct 22, 2020
@nbaars
#839: fix the SQL statement as this one does not express that the `or…
8609526 
…derBy` clause input is user input
@nbaars nbaars self-assigned this Oct 22, 2020
@nbaars nbaars added this to the 8.1.1 milestone Oct 22, 2020
@nbaars
Copy link
Collaborator

nbaars commented Oct 22, 2020

Thanks for the input, fixed the code was wrong

nbaars added a commit that referenced this issue Nov 4, 2020
@nbaars
#839: fix the SQL statement as this one does not express that the `or…
7b8523d 
…derBy` clause input is user input
@nbaars nbaars added the waiting for release Issue is fix, waiting on new release label Nov 8, 2020
zubcevic pushed a commit to zubcevic/WebGoat that referenced this issue Dec 3, 2020
@nbaars @zubcevic
WebGoat#839: fix the SQL statement as this one does not express that …
b69af0b 
…the `orderBy` clause input is user input
@nbaars nbaars closed this as completed Jul 27, 2021
@nbaars nbaars modified the milestones: 8.1.1, 8.2.0 Jul 27, 2021
@nbaars nbaars added 4 - Done and removed 3 - Review waiting for release Issue is fix, waiting on new release labels Jul 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nbaars nbaars

Labels
4 - Done
Projects
None yet
Milestone
8.2.0
Development

No branches or pull requests
2 participants
@nbaars @dovecode