/ interactive demo — Week 2
⚠ Vulnerable version
TaskManager — Search
Search tasks by user
Type a name to see their assigned tasks
Username
💡 Try these attack strings:
dump all users
bypass filter
delete all tasks
drop table
extract emails
Generated SQL
SELECT * FROM task WHERE user_id = (SELECT id FROM user WHERE name = '')
task no query run
Run a search to see results
Type a name above, then try one of the attack strings to see what happens.
The code — what's happening

    
Select an attack string on the left to see the analysis.

The app in this demo is the task management system from your assignment. A manager types a name into a search box to see someone's tasks. Normal inputs like Alice Jensen work perfectly.

But the backend builds the SQL query by concatenating the input directly into a string. This means an attacker doesn't need an account, doesn't need to know the schema, and doesn't need any special tools — just a text box and some knowledge of SQL syntax.

SQL injection has been in the OWASP Top 10 most critical web vulnerabilities for over 20 years. It is responsible for some of the largest data breaches in history — not because it is sophisticated, but because it is easy to overlook when everything works fine in testing.