This project implements a very simple web-service, that is vulnerable to an SQL injection attack. In this case a simple web-page is protected by a user name and password, and the password is checked by requesting the user name and password from the database, and check if they exist. If they do, users are granted access to the web-page, if not they are thrown back to the login page.

The SQL queries, however, are vulnerable to SQL injection. So a user can gain access by simply putting a statement such as

wurst' OR '1'='1

into the password field. The where clause '1'='1' will always be true, and therefore the statement always returns a list of all possible users.

The example creates an in memory database with users Alice and Bob.