Merge pull request #760 from ossf/sql_injection_answers

Lab sql-injection: Move answers to JavaScript

Author: david-a-wheeler

docs/labs/sql-injection.html

@@ -12,39 +12,6 @@
 
 <!-- See create_labs.md for how to create your own lab! -->
 
-<!-- Sample expected answer -->
-<script id="expected0" type="plain/text">
-  String QueryString = "select * from authors where lastname=?";
-  PreparedStatement pstmt = connection.prepareStatement(QueryString);
-</script>
-
-<script id="correct0" type="plain/text">
-\s* String\s+QueryString =
-   \"select\s+\*\s+from\s+authors\s+where\s+lastname\s*\=\s*\?\s*;?\s*\" \;
-\s* PreparedStatement\s+pstmt = connection \. prepareStatement \( QueryString \) \; \s*
-</script>
-
-<script id="expected1" type="plain/text">
-  pstmt.setString(1, search_lastname);
-  ResultSet results = pstmt.executeQuery( );
-</script>
-
-<!--
-Note: Java Statement has an "executeQuery" method, of form:
-  ResultSet executeQuery(String sql)
-It requires exactly one parameter and does NOT accept added parameters.
-So `executeQuery(sql, search_lastname)` is not legal Java.
-
-See:
-https://docs.oracle.com/en/java/javase/22/docs/api/java.sql/java/sql/Statement.html
--->
-<script id="correct1" type="plain/text">
-\s* pstmt \. setString \( 1 , search_lastname \) \;
-\s* ResultSet\s+results = pstmt \. executeQuery \( \) \; \s*
-</script>
-
-
-
 </head>
 <body>
 <!-- For GitHub Pages formatting: -->

docs/labs/sql-injection.js

@@ -3,7 +3,7 @@ info =
   hints: [
     {
       present: "search_lastname",
-      text: "You should replace \"search_lastname\" with a placeholder.",
+      text: "You should replace \"search_lastname\" with a placeholder (?).",
       index: 0,
       examples: [
         [
@@ -30,7 +30,7 @@ info =
     {
       absent: String.raw`\s* PreparedStatement\s+pstmt = connection \.
     prepareStatement \( QueryString \) \; \s*`,
-      text: "Your second line should have the form `PreparedStatement pstmt = connection.prepareStatement(QueryString);`"
+      text: "After defining the query string you should create a prepared statement, using the form `PreparedStatement pstmt = connection.prepareStatement(QueryString);`"
     },
     {
       absent: "search_lastname",
@@ -54,5 +54,26 @@ info =
       index: 1,
       text: "After using `setString` execute the query and place the results in `results`, something like `ResultSet results = pstmt.executeQuery();`"
     }
-  ]
+  ],
+  expected: [
+    String.raw`  String QueryString = "select * from authors where lastname=?";
+  PreparedStatement pstmt = connection.prepareStatement(QueryString);`,
+    String.raw`  pstmt.setString(1, search_lastname);
+  ResultSet results = pstmt.executeQuery( );`,
+  ],
+  correct: [
+    String.raw`\s* String\s+QueryString =
+      \"select\s+\*\s+from\s+authors\s+where\s+lastname\s*\=\s*\?\s*;?\s*\" \;
+      \s* PreparedStatement\s+pstmt = connection \.
+          prepareStatement \( QueryString \) \; \s*`,
+      // Note: Java Statement has an "executeQuery" method, of form:
+      //   ResultSet executeQuery(String sql)
+      // It requires exactly one parameter and does NOT accept added parameters.
+      // So `executeQuery(sql, search_lastname)` is not legal Java.
+      // Some documents and online help forums get this wrong.
+      // For the authoritative answer (in Java 22), see:
+      // https://docs.oracle.com/en/java/javase/22/docs/api/java.sql/java/sql/Statement.html
+    String.raw`\s* pstmt \. setString \( 1 , search_lastname \) \;
+      \s* ResultSet\s+results = pstmt \. executeQuery \( \) \; \s*`,
+  ],
 }