This educational app is designed to demonstrate SQL injection vulnerabilities in web applications. It's a simple Express.js server with a mock SQLite database to handle user logins and search functionalities.
To get started, clone the repository and install the dependencies:
git clone https://github.com/djmotor90/sql-injection-activity
cd sql-injection-activity
npm installMake sure you have Node.js and npm installed on your system.
Running the Server Run the server using the following command:
node app.jsThe server will start on localhost:3000
- app.js: The main server file with Express.js setup.
- index.html: The frontend HTML file with login and search forms.
- style.css: The stylesheet for the frontend.
The SQLite database is created in memory with a user table. It's populated with sample user data for login testing.
Users can log in using their username and password.
The login feature is intentionally vulnerable to SQL injection.
A simple search feature to search users by username.
This feature is also vulnerable to SQL injection.
- Normal Login: Use a known username and password to log in.
- Injection Attack: Use a username and the following string as the password: unknown' OR '1'='1.
- Normal Search: Search for a username using a part or full name.
- Injection Attack: Use the following string in the search: %' OR '1'='1.
This application is for educational purposes only and demonstrates how SQL injection can be exploited. In real-world applications, always use parameterized queries or prepared statements to prevent SQL injection.