lessonKey: "sql-injection-shop"
title: "SQL Injection Attack - Online Shop Demo"
description: "Learn how SQL injection vulnerabilities work through a realistic online shop scenario"
difficultyLevel: "intermediate"
estimatedDuration: 20
module: "sql-injection-shop"

steps:
  - id: "intro"
    type: "content"
    title: "What is SQL Injection?"
    content: |
      SQL Injection is one of the most dangerous web application vulnerabilities. It occurs when an attacker can insert malicious SQL code into a query, allowing them to:

      • Access unauthorized data
      • Modify or delete database records
      • Bypass authentication
      • Execute administrative operations

      In this lesson, you'll explore a vulnerable online shop to understand how SQL injection works and why proper input validation is critical.

  - id: "shop-demo"
    type: "interactive"
    title: "Vulnerable Online Shop"
    interactiveComponent: "SQLShopDemo"
    content: |
      Below is a simplified online shop with a product search feature. The search functionality is vulnerable to SQL injection.

      Try searching for normal products first, then experiment with SQL injection techniques.

  - id: "question-1"
    type: "question"
    questionType: "multiple_choice"
    question: "Which of the following search inputs could be used to exploit SQL injection?"
    options:
      - id: "normal-search"
        text: "laptop"
        isCorrect: false
        points: 0
      - id: "single-quote"
        text: "' OR '1'='1"
        isCorrect: true
        points: 15
      - id: "union-select"
        text: "' UNION SELECT username, password FROM users--"
        isCorrect: true
        points: 15
      - id: "drop-table"
        text: "'; DROP TABLE products--"
        isCorrect: true
        points: 10
    maxPoints: 40
    feedback:
      correct: "Correct! These inputs manipulate the SQL query structure."
      incorrect: "Review the demo. SQL injection exploits use special characters like quotes and SQL keywords."

  - id: "detection"
    type: "content"
    title: "How SQL Injection Works"
    content: |
      A vulnerable query might look like:

      SELECT * FROM products WHERE name LIKE '%[USER_INPUT]%'

      When a user searches for "laptop", the query becomes:
      SELECT * FROM products WHERE name LIKE '%laptop%'

      But if they enter "' OR '1'='1", it becomes:
      SELECT * FROM products WHERE name LIKE '%' OR '1'='1%'

      The OR '1'='1' condition is always true, so ALL products are returned!

      More dangerous attacks can extract data from other tables or even delete data.

  - id: "question-2"
    type: "question"
    questionType: "single_choice"
    question: "What is the BEST way to prevent SQL injection vulnerabilities?"
    options:
      - id: "input-filtering"
        text: "Filter out dangerous characters like quotes and semicolons"
        isCorrect: false
        points: 0
      - id: "parameterized-queries"
        text: "Use parameterized queries (prepared statements)"
        isCorrect: true
        points: 30
      - id: "stored-procedures"
        text: "Only use stored procedures for database access"
        isCorrect: false
        points: 0
      - id: "input-length"
        text: "Limit the length of user inputs"
        isCorrect: false
        points: 0
    maxPoints: 30
    feedback:
      correct: "Excellent! Parameterized queries separate SQL code from user data, making injection impossible."
      incorrect: "While filtering helps, parameterized queries are the gold standard. They ensure user input is always treated as data, never as SQL code."

  - id: "mitigation"
    type: "content"
    title: "Preventing SQL Injection"
    content: |
      Best practices to prevent SQL injection:

      1. **Parameterized Queries** (Most Important)
         • Use prepared statements with bound parameters
         • Never concatenate user input into SQL strings

      2. **Input Validation**
         • Validate data types (numbers, emails, etc.)
         • Use allowlists for expected values

      3. **Least Privilege**
         • Database accounts should have minimal permissions
         • Read-only accounts for read operations

      4. **Web Application Firewalls**
         • Can detect and block SQL injection attempts
         • Should be used as an additional layer, not primary defense

      5. **Regular Security Audits**
         • Code reviews and penetration testing
         • Automated vulnerability scanning

  - id: "question-3"
    type: "question"
    questionType: "free_text"
    question: "In your own words, explain why parameterized queries prevent SQL injection."
    validationRules:
      keywords:
        required: ["parameter", "data", "separate"]
        partialCredit: 10
      minLength: 50
    maxPoints: 30
    feedback:
      correct: "Great explanation! You understand that parameterized queries keep SQL structure separate from user data."
      incorrect: "Think about how parameterized queries treat user input differently than string concatenation. Key concepts: separation of code and data."

scoring:
  passingScore: 70
  maxTotalPoints: 100