From 995bd96545ff60e5345a3ee3910bff146c1e5e48 Mon Sep 17 00:00:00 2001 From: "cycode-security[bot]" <54410473+cycode-security[bot]@users.noreply.github.com> Date: Mon, 18 May 2026 16:53:19 +0000 Subject: [PATCH] [Cycode] Fix for SAST detections - Unsanitized external input in SQL query --- .../introduction/SqlInjectionLesson8.java | 35 ++++++++++--------- 1 file changed, 18 insertions(+), 17 deletions(-) diff --git a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java index fb417e8e3f..d568dcb6ff 100644 --- a/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java +++ b/src/main/java/org/owasp/webgoat/lessons/sqlinjection/introduction/SqlInjectionLesson8.java @@ -1,5 +1,6 @@ + /* - * SPDX-FileCopyrightText: Copyright © 2016 WebGoat authors + * SPDX-FileCopyrightText: Copyright 2016 WebGoat authors * SPDX-License-Identifier: GPL-2.0-or-later */ package org.owasp.webgoat.lessons.sqlinjection.introduction; @@ -47,19 +48,19 @@ public AttackResult completed(@RequestParam String name, @RequestParam String au protected AttackResult injectableQueryConfidentiality(String name, String auth_tan) { StringBuilder output = new StringBuilder(); String query = - "SELECT * FROM employees WHERE last_name = '" - + name - + "' AND auth_tan = '" - + auth_tan - + "'"; + "SELECT * FROM employees WHERE last_name = ? AND auth_tan = ?"; try (Connection connection = dataSource.getConnection()) { try { - Statement statement = - connection.createStatement( - ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_UPDATABLE); - log(connection, query); - ResultSet results = statement.executeQuery(query); + PreparedStatement statement = + connection.prepareStatement( + query, + ResultSet.TYPE_SCROLL_INSENSITIVE, + ResultSet.CONCUR_UPDATABLE); + statement.setString(1, name); + statement.setString(2, auth_tan); + log(connection, name, auth_tan); + ResultSet results = statement.executeQuery(); if (results.getStatement() != null) { if (results.first()) { @@ -128,18 +129,18 @@ public static String generateTable(ResultSet results) throws SQLException { return (table.toString()); } - public static void log(Connection connection, String action) { - action = action.replace('\'', '"'); + public static void log(Connection connection, String name, String auth_tan) { Calendar cal = Calendar.getInstance(); SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss"); String time = sdf.format(cal.getTime()); String logQuery = - "INSERT INTO access_log (time, action) VALUES ('" + time + "', '" + action + "')"; + "INSERT INTO access_log (time, action) VALUES (?, ?)"; - try { - Statement statement = connection.createStatement(TYPE_SCROLL_SENSITIVE, CONCUR_UPDATABLE); - statement.executeUpdate(logQuery); + try (PreparedStatement statement = connection.prepareStatement(logQuery)) { + statement.setString(1, time); + statement.setString(2, "SELECT * FROM employees WHERE last_name = '" + name + "' AND auth_tan = '" + auth_tan + "'"); + statement.executeUpdate(); } catch (SQLException e) { System.err.println(e.getMessage()); }