// Secure: Using place-holders treats all input strictly as literal text data String query = "SELECT coupon_code FROM coupons WHERE coupon_code = ?"; PreparedStatement pstmt = connection.prepareStatement(query); pstmt.setString(1, userInput); ResultSet resultSet = pstmt.executeQuery(); Use code with caution.
: Specifies the database management system (if known). sql+injection+challenge+5+security+shepherd+new
c.e.o@shepherd-security.com
This seemingly minor implementation detail creates a powerful vulnerability. A clever attacker can abuse this behavior to create an unescaped single quote by chaining backslashes. // Secure: Using place-holders treats all input strictly
After 127 requests, the script revealed: A clever attacker can abuse this behavior to
/* Hypothetical backend logic executing on the MySQL database */ SELECT coupon_code FROM coupons WHERE coupon_code = 'USER_INPUT'; Use code with caution.
To solve Challenge 5, security researchers often employ a . Since the standard search result displays coupon information, an attacker can use the UNION SELECT statement to append results from other tables—specifically internal database schema tables—to the visible output.