...
In this noncompliant code example, a user name and password are read from the user and used to construct the query string. The password is passed as a char array, and then hashed, all to comply with MSC51-J. Store passwords using a hash function and MSC63-JG. Limit the lifetime of sensitive data.
This example is vulnerable to the attack described above. If it is passed the attack string for login described described previously, the evaluate() method call returns the corresponding login node in the XML file, causing . This causes the login() method to return true and bypass any authorization.
...