Skip to content

Commit b3bdbbe

Browse files
Merge pull request #171 from ossf/add_sql_injection_lab
Add SQL injection lab
2 parents 176d6cc + a8ab7c6 commit b3bdbbe

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

secure_software_development_fundamentals.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2731,6 +2731,12 @@ Of course, like any technique, if you use it wrongly then it won’t be secure.
27312731

27322732
This insecure program uses a prepared statement, but instead of correctly using “**?**” as a value placeholder (which will then be properly escaped), this code directly concatenates data into the query. Unless the data is properly escaped (and it almost certainly is not), this code can quickly lead to a serious vulnerability if this data can be controlled by an attacker.
27332733

2734+
##### Lab: SQL injection
2735+
2736+
🧪 **Lab: Please try lab [sql-injection](https://best.openssf.org/labs/sql-injection.html), which lets you experiment with how to counter a SQL injection vulnerability.**
2737+
2738+
*Labs are optional, but you're strongly encouraged to try them!*
2739+
27342740
#### Examples: Parameterized and Prepared Statements in some Other Languages
27352741

27362742
Parameterized and prepared statements are widely available, though the

0 commit comments

Comments
 (0)