XML Exam I10-003 Topic 6 Question 58 Discussion

Actual exam question for XML's I10-003 exam

Question #: 58
Topic #: 6

See separate window.

A certain Web application displays user information according to user input via Web browser. The XML data managing user information is as shown in [example.xml] (separate window). The following [XQuery] is executed when the Web application retrieves user information from [example xml].

[XQuery]

{

fn:doc("example.xml")//data[userid = "(1)"][password = "(2)"]

}

At this time, the Web application completes the [XQuery] by replacing (1) and (2) with the user input character string, and executes the query.

No character escapes (e.g. convert "<" to "<") are performed for character string input by the user. Select two of the following that produces the query execution result in [Execution Result] (separate window) when the character string is as shown in each answer choice.

A(1) ' or''='
(2) OK

B(1) ' or''='
(2) ' or''='

C(1) idorfn:true()
(2) OK

D(1) idorfn.true()
(2) idorfn:true()

E(1) ' or fn:true() or any='
(2) OK

F(1) 'or fn:true() or any='
(2) 'or fn:true() or any='

Show Suggested Answer

Suggested Answer: B, F

by Eladia at Feb 08, 2025, 10:04 PM

Limited Time Offer

25%

17 days ago

This query is a classic example of SQL injection vulnerability. Looks like the application is not properly sanitizing user input. Scary stuff!

upvoted 0 times

Fallon

2 days ago

User 2: Definitely, they should sanitize the input to prevent SQL injection.

upvoted 0 times

...

Deangelo

3 days ago

User 1: Yeah, that's a major security flaw.

upvoted 0 times

...

Marcelle

17 days ago

I think the answer is A.

upvoted 0 times

...