Merge pull request #171 from ossf/add_sql_injection_lab

Add SQL injection lab
ossf · Oct 4, 2024 · b3bdbbe · b3bdbbe
2 parents 176d6cc + a8ab7c6
commit b3bdbbe
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/secure_software_development_fundamentals.md b/secure_software_development_fundamentals.md
@@ -2731,6 +2731,12 @@ Of course, like any technique, if you use it wrongly then it won’t be secure.
 
 This insecure program uses a prepared statement, but instead of correctly using “**?**” as a value placeholder (which will then be properly escaped), this code directly concatenates data into the query. Unless the data is properly escaped (and it almost certainly is not), this code can quickly lead to a serious vulnerability if this data can be controlled by an attacker.
 
+##### Lab: SQL injection
+
+ 🧪 **Lab: Please try lab [sql-injection](https://best.openssf.org/labs/sql-injection.html), which lets you experiment with how to counter a SQL injection vulnerability.**
+
+*Labs are optional, but you're strongly encouraged to try them!*
+
 #### Examples: Parameterized and Prepared Statements in some Other Languages
 
 Parameterized and prepared statements are widely available, though the