Software DevelopmentIntermediate 2 to 3 hours

Patch a SQL Injection Vulnerability

Rewrite dangerous raw SQL queries using parameterized statements.

The Scenario

A legacy Node.js application searches for users by username. The query is written as: `db.query("SELECT * FROM users WHERE username = '" + req.body.username + "'")`. A malicious user just dropped the users table using `' OR 1=1; DROP TABLE users; --`.

The Brief

Rewrite the vulnerable database interaction. You can either use parameterized queries with the raw driver (e.g., `pg` or `mysql2`), or implement an ORM (like Prisma or Sequelize) to handle escaping automatically.

Deliverables

  • The patched code snippet showing the secure database query
  • An explanation of exactly how the malicious payload (`' OR 1=1; DROP TABLE users; --`) manipulated the original query string

Submission Guidance

The goal is to prove you understand parameterized queries. Simply writing a regex to block semicolons is not an acceptable solution.

Submit Your Work

Your submission is graded against the rubric on the right. If you pass, you get a public Badge URL you can share on LinkedIn. There is no draft save, so work offline first and paste your finished response here.

This appears on your public Badge.

We'll email you the permanent link to your Badge so you never lose it. Not shown publicly.

0/20000 charactersMarkdown supported

One per line or comma separated. Up to 5 links.

Loading security check...

By submitting, you agree your submission text, name, and evaluation will appear on a public Badge URL.