[Day 16] Secure Coding

December 16, 2022

This task has users patching insecure code rather than exploiting it, which is a different approach from what THM usually does. There are four SQLi vulnerabilities and as you patch a vulnerability you are granted a flag.

Flags

What is the value of Flag1?

THM{McCode, Elf McCode}

Here on lines 4 and 17, we added intval to accept only integers as a value for the MySQL table.

What is the value of Flag2?

THM{KodeNRoll}

For this flag, I learned that for each patch you want to use a prepared statement.

"Prepared statements allow you to separate the syntax of your SQL sentence from the actual parameters used on your WHERE clause. Instead of building a single string by concatenation, you will first describe the structure of your SQL query and use placeholders to indicate the position of your query's parameters. You will then bind the parameters to the prepared statement in a separate function call."

What is the value of Flag3?

THM{Are we secure yet?}

Use intval.

What is the value of Flag4?

THM{SQLi_who???}

Use a prepared statement.

Previous[Day 15] Secure Coding Next[Day 17] Secure Coding

Last updated 3 years ago

hashtagFlags

hashtagWhat is the value of Flag1?

hashtagWhat is the value of Flag2?

hashtagWhat is the value of Flag3?

hashtagWhat is the value of Flag4?

Flags

What is the value of Flag1?

What is the value of Flag2?

What is the value of Flag3?

What is the value of Flag4?