Tutorial 1. Write your first InternalFLuentTQL specification

Let's take a simple SQL-Injection example. The below example code contains the SQL-Injection.

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Scanner;

import org.owasp.html.HtmlPolicyBuilder;
import org.owasp.html.PolicyFactory;

public class SimpleSQLInjection {

    public static ResultSet getEmployeeInformationWithSanitizer() throws SQLException {
        Scanner mySC = new Scanner(System.in);

        // Soure: Method nextLine is a source that takes input from user.
        String userInput = mySC.nextLine();

        mySC.close();

        PolicyFactory POLICY_DEFINITION = new HtmlPolicyBuilder().toFactory();

        // Sanitizer: Method sanitize is a sanitizer that sanitizes the user input, therefore, the below line should be uncommented to avoid SQL-Injection.
        //String employeeID = POLICY_DEFINITION.sanitize(userInput);

        Connection myConnection = DriverManager.getConnection("jdbc:hsqldb:mem:EMPLOYEES", "test", "test");
        Statement myStatement = myConnection.createStatement();

        // Sink: Method executeQuery is a sink that performs sensitive operation and leaks the data.
        ResultSet queryResult = myStatement.executeQuery("SELECT * FROM EMPLOYEE where EID = " + employeeID);

        return queryResult;

    }
}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Tutorial 1. Write your first InternalFLuentTQL specification

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally