SQL Inject Found in one_page_student

I found a sql inject in one_page_student.findWithId/findWithName.
Set a breakpoint as follows:
![image](https://github.com/Hui4401/StudentManager/assets/56333292/e216ac42-c01d-4794-b591-ffc65b091360)
When I use payload `one_page_student?key=1' or '1'='1`，it hits the breakpoint.
![image](https://github.com/Hui4401/StudentManager/assets/56333292/2d9d6051-b0ed-4307-b9fb-d6c5077027b1)
![image](https://github.com/Hui4401/StudentManager/assets/56333292/dca4abf3-9d99-4240-b1c0-1246335f385a)
After executing `String sql=...`， `sql` becomes
![image](https://github.com/Hui4401/StudentManager/assets/56333292/c5854792-0aff-496a-8bf0-db8b59027b31)
After executing sql query, `al` is filled with information
![image](https://github.com/Hui4401/StudentManager/assets/56333292/38ffd0c3-b440-497a-93cc-3a48766336c3)
![image](https://github.com/Hui4401/StudentManager/assets/56333292/89ae3450-8850-46ca-a95e-76ebc06fb372)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SQL Inject Found in one_page_student #10

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

SQL Inject Found in one_page_student #10

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions