Login Query Builder

Easy+50 XPA03:2021 InjectionCWE-89

SQL InjectionLogin

Scenario

A login endpoint accepts a username from the HTTP request body and passes it directly to a SQL query via string concatenation.

An attacker can supply a crafted username such as admin'-- or ' OR '1'='1 to bypass authentication entirely, gaining access to any account — or all accounts at once.

This is the classic SQL injection pattern and one of the most well-documented vulnerabilities in software history.

SQL injection has topped vulnerability charts for decades. A single concatenated login query can hand an attacker the entire user database — or admin access — with a single crafted request.

Your Tasks

Fix buildLoginQuery so the username is passed as a parameter rather than concatenated inline.
Return an object with sql using $1 as the placeholder and params containing the raw username.
Never let user-supplied input appear literally inside the SQL string.

Examples

Example 1 — Injection blocked

buildLoginQuery("admin'--")
// BUG → sql: "...WHERE username='admin'--'"
// FIX → { sql: '...WHERE username=$1', params: ["admin'--"] }

Example 2 — Normal login

buildLoginQuery('alice')
// → { sql: '...WHERE username=$1', params: ['alice'] }

Constraints

›Only edit the function body — do not change the function signature.
›The returned sql must be exactly "SELECT id,role FROM users WHERE username=$1".
›The returned params array must contain the raw (unsanitized) username as its only element.
›No external packages.

Hint

References

CWE-89: Improper Neutralization of Special Elements used in an SQL Command OWASP SQL Injection Prevention Cheat Sheet OWASP Top 10 2021 — A03:2021 Injection NIST NVD — SQL Injection

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run