+ Start a Discussion
PspkPspk 

trailhead challange - SOQL injection

Hi , I am struck up in below Trailhead challange and could not understand what wrong in my code.
Please help 

Thanks in advance 

Simulate a SOQL Injection Attack

For this challenge, perform a SOQL injection on the search box to see information that is unintentionally exposed. Navigate to the SOQL Injection Challenge tab within the SOQL Injection application. You will see a search tool for the supply__c object. Use the search box to perform a SOQL injection which returns supplies meant for Nobles only. Hint: If you’ve done this successfully, your query should return one result containing Venison.

SOQL_Injection_Challenge:

public class SOQL_Injection_Challenge {

    public string textual {get; set;}
    public List<Supply__c> whereclause_records {get; set;}



//SELECT Id,Name,Quantity__c,Storage_Location__c,Type__c FROM Supply__c
    public PageReference whereclause_search(){
        string query = 'SELECT Id,Name,Quantity__c,Storage_Location__c,Storage_Location__r.Castle__c,Type__c FROM Supply__c';
        string whereClause = '';

        if(textual != null && textual!=''){
                whereClause += 'name like  \'%'+textual+'%\' ';
        }

        if(whereClause != ''){
            whereclause_records = database.query(query+' where '+whereClause+' Limit 10');
            validate(whereClause,whereclause_records.size());
        }

        return null;
    }


    public void validate(string s, integer i){
      if(s.contains('\'%') && s.containsIgnoreCase('Nobles_Only__c') && s.contains('%\'') && i<10){
        cvcs__c  v = cvcs__c.getInstance('sic1');
        if(v==null){
          v = new  cvcs__c(name='sic1',c1__c = 1);
        } else {
            v.c1__c += 1;
        }
        upsert v;
      }
    } 
}
Best Answer chosen by Pspk
Malni Chandrasekaran 2Malni Chandrasekaran 2
Please mark it as solved if this helped you. 
your search string should be something like -- %' and nobles_only__c=true and name like '% 
Note: as mentioned in trailhead this return only one record with name 'Venison'

All Answers

Malni Chandrasekaran 2Malni Chandrasekaran 2
Pspk,
I believe the challenge is to perform SOQL injection in the search box and have nothing to do with the code. Your search should retrieve the supply records where nobles_only checkbox is checked.
PspkPspk
Oh yes ! Thank you very much Malni :) 
Malni Chandrasekaran 2Malni Chandrasekaran 2
Please mark it as solved if this helped you. 
your search string should be something like -- %' and nobles_only__c=true and name like '% 
Note: as mentioned in trailhead this return only one record with name 'Venison'
This was selected as the best answer
PspkPspk
Yes i fixed it . 
Thank you very much :)