PortfolioSoftware DevelopmentSecurity Vulnerability PatchingIntermediate
Software DevelopmentIntermediate 2 to 3 hours

Patch a SQL Injection Vulnerability

Rewrite dangerous raw SQL queries using parameterized statements.

The Scenario

A legacy Node.js application searches for users by username. The query is written as: `db.query("SELECT * FROM users WHERE username = '" + req.body.username + "'")`. A malicious user just dropped the users table using `' OR 1=1; DROP TABLE users; --`.

The Brief

Rewrite the vulnerable database interaction. You can either use parameterized queries with the raw driver (e.g., `pg` or `mysql2`), or implement an ORM (like Prisma or Sequelize) to handle escaping automatically.

Deliverables

  • The patched code snippet showing the secure database query
  • An explanation of exactly how the malicious payload (`' OR 1=1; DROP TABLE users; --`) manipulated the original query string

Submission Guidance

The goal is to prove you understand parameterized queries. Simply writing a regex to block semicolons is not an acceptable solution.

Submit Your Work

Your submission is graded against the rubric on the right. If you pass, you get a public Badge URL you can share on LinkedIn. There is no draft save, so work offline first and paste your finished response here.

This appears on your public Badge.

0/20000 charactersMarkdown supported

One per line or comma separated. Up to 5 links.

By submitting, you agree your submission text, name, and evaluation will appear on a public Badge URL.