Grading of Exercise 6

Question

Hi,

I lost points in Exercise 6 for Tasks 5, 6, 7, and 12, although my solutions seem to work correctly. I would appreciate it if you could take another look at my submission (IMT username: ttappe).

- Task 5: My solution follows the example from the exercise description exactly:

  CREATE TABLE students( ID INTEGER PRIMARY KEY NOT NULL, NAME TEXT NOT NULL )  

  In the example, there is no space between the table name and the opening parenthesis. However, the expected solution seems to require a space there.

- Task 6: I used the same approach as in Task 7 because it works in exactly the same way here.

- Task 7: My answer was marked as incorrect even though it returns Chris's salary as requested. In fact, it only returns Chris's salary and not any additional salaries.

- Task 12: The answer

  SELECT * FROM users WHERE name='admin' AND password='123' OR sleep(5)

  was marked as incorrect. However, I would argue that it can still be used to determine whether the admin's password is 123. If no such user exists, the query takes at least n × 5 seconds (where n is the number of users). If a matching user exists, evaluation may short-circuit for those rows, resulting in a shorter execution time. Therefore, the query can be used as a timing-based test.

I would appreciate it if you could review these tasks again.

Best regards,  

Tobias Tappe

Answer 1

The grading for Exercise 06 is not ready yet. Sorry for the confusion.

Answer 2

I also have the same problem. I think many students are experiencing the same thing. I hope the teachers review our answers and give correct grades.

Answer 3

The grading for Exercise 6 is now complete. The current scores shown on PANDA reflect the corrected marks for the relevant tasks.

Regarding Task 12, the answer

SELECT * FROM users WHERE name='admin' AND password='123' OR sleep(5)

cannot be used to reliably determine whether the admin's password is 123.

The problem is that sleep(5) is evaluated independently of the admin password check. As a result, the query execution time depends on the total number of rows processed rather than solely on whether the admin's password matches 123.

For a timing-based exfiltration attack, the delay must be directly tied to the truth value of the condition being tested. In this query, the timing behavior is not uniquely attributable to the admin password comparison, so it does not provide a reliable mechanism for exfiltrating that information.