To identify the vulnerability in the given code, we need to understand the concept of SQL injection.
SQL injection is a code injection technique where an attacker inserts malicious SQL statements into an application's database query. This can lead to unauthorized access, data leakage, or data manipulation.
In the given code, the vulnerability is present in Line 18:
log.debug("Invalid Login: Login ID-" + username + " Password-" + password);
This line of code concatenates the username
and password
variables directly into the log message without any sanitization or validation. If an attacker provides malicious input for the username
or password
parameters, it can lead to a successful SQL injection attack.
To prevent SQL injection, it is necessary to use parameterized queries or prepared statements, which is done correctly in Line 4-6 where placeholders (?
) are used for Emp_ID
and Password
, and then the actual values are set using setString()
method.
Therefore, the correct answer is:
D. Line 18