In the following code, which is the location of vulnerability? 1 String username = req.getParameter("loginID"); 2 String password = req.getParameter("loginPassword"); 3 String sql = "SELECT UserID from Employee WHERE Emp_ID = ? AND Password=?"; 4 pstmt = con.prepareStatement(sql); 5 pstmt.setString(1,username); 6 pstmt.setString(2,password); 7 pstmt.execute(); 8 user = pstmt.getResultSet(); 9 if(user!=null) 10 { 11 while (user.next()) 12 { 13 userInfo.add(user.getString(1)); 14 } 15 } 16 else 17 { 18 log.debug(“Invalid Login: Login ID-”+ username+” Password-”+ password); 19 }

technology security

  1. Line 5

  2. Line 4

  3. Line 11

  4. Line 18

Show answer
Correct Option: D

AI Explanation

To identify the vulnerability in the given code, we need to understand the concept of SQL injection.

SQL injection is a code injection technique where an attacker inserts malicious SQL statements into an application's database query. This can lead to unauthorized access, data leakage, or data manipulation.

In the given code, the vulnerability is present in Line 18:

log.debug("Invalid Login: Login ID-" + username + " Password-" + password);

This line of code concatenates the username and password variables directly into the log message without any sanitization or validation. If an attacker provides malicious input for the username or password parameters, it can lead to a successful SQL injection attack.

To prevent SQL injection, it is necessary to use parameterized queries or prepared statements, which is done correctly in Line 4-6 where placeholders (?) are used for Emp_ID and Password, and then the actual values are set using setString() method.

Therefore, the correct answer is:

D. Line 18

Find more quizzes: