You need to sign in to do that
Don't have an account?
Pspk
trailhead challange - SOQL injection
Hi , I am struck up in below Trailhead challange and could not understand what wrong in my code.
Please help
Thanks in advance
Simulate a SOQL Injection Attack
For this challenge, perform a SOQL injection on the search box to see information that is unintentionally exposed. Navigate to the SOQL Injection Challenge tab within the SOQL Injection application. You will see a search tool for the supply__c object. Use the search box to perform a SOQL injection which returns supplies meant for Nobles only. Hint: If you’ve done this successfully, your query should return one result containing Venison.
SOQL_Injection_Challenge:
public class SOQL_Injection_Challenge {
public string textual {get; set;}
public List<Supply__c> whereclause_records {get; set;}
//SELECT Id,Name,Quantity__c,Storage_Location__c,Type__c FROM Supply__c
public PageReference whereclause_search(){
string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
string whereClause = '';
if(textual != null && textual!=''){
whereClause += 'name like \'%'+textual+'%\' ';
}
if(whereClause != ''){
whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
validate(whereClause,whereclause_records.size());
}
return null;
}
public void validate(string s, integer i){
if(s.contains('\'%') && s.containsIgnoreCase('Nobles_Only__c') && s.contains('%\'') && i<10){
cvcs__c v = cvcs__c.getInstance('sic1');
if(v==null){
v = new cvcs__c(name='sic1',c1__c = 1);
} else {
v.c1__c += 1;
}
upsert v;
}
}
}
Please help
Thanks in advance
Simulate a SOQL Injection Attack
For this challenge, perform a SOQL injection on the search box to see information that is unintentionally exposed. Navigate to the SOQL Injection Challenge tab within the SOQL Injection application. You will see a search tool for the supply__c object. Use the search box to perform a SOQL injection which returns supplies meant for Nobles only. Hint: If you’ve done this successfully, your query should return one result containing Venison.
SOQL_Injection_Challenge:
public class SOQL_Injection_Challenge {
public string textual {get; set;}
public List<Supply__c> whereclause_records {get; set;}
//SELECT Id,Name,Quantity__c,Storage_Location__c,Type__c FROM Supply__c
public PageReference whereclause_search(){
string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
string whereClause = '';
if(textual != null && textual!=''){
whereClause += 'name like \'%'+textual+'%\' ';
}
if(whereClause != ''){
whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
validate(whereClause,whereclause_records.size());
}
return null;
}
public void validate(string s, integer i){
if(s.contains('\'%') && s.containsIgnoreCase('Nobles_Only__c') && s.contains('%\'') && i<10){
cvcs__c v = cvcs__c.getInstance('sic1');
if(v==null){
v = new cvcs__c(name='sic1',c1__c = 1);
} else {
v.c1__c += 1;
}
upsert v;
}
}
}
your search string should be something like -- %' and nobles_only__c=true and name like '%
Note: as mentioned in trailhead this return only one record with name 'Venison'
All Answers
I believe the challenge is to perform SOQL injection in the search box and have nothing to do with the code. Your search should retrieve the supply records where nobles_only checkbox is checked.
your search string should be something like -- %' and nobles_only__c=true and name like '%
Note: as mentioned in trailhead this return only one record with name 'Venison'
Thank you very much :)