diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java
index 203d5ec35..c41dfa9f2 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/BackDoors.java	
@@ -3,6 +3,7 @@ package org.owasp.webgoat.lessons;
 import java.sql.Connection;
 import java.sql.ResultSet;
 import java.sql.SQLException;
+import java.util.ArrayList;
 import java.util.List;
 import java.sql.Statement;
 
@@ -15,6 +16,9 @@ import org.apache.ecs.html.Span;
 import org.apache.ecs.html.Div;
 import org.apache.ecs.html.Input;
 import org.apache.ecs.html.BR;
+import org.apache.ecs.html.TD;
+import org.apache.ecs.html.TR;
+import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.DatabaseUtilities;
 import org.owasp.webgoat.session.WebSession;
 
@@ -23,7 +27,7 @@ public class BackDoors extends LessonAdapter {
 	private static Connection connection = null;
 	private final static Integer DEFAULT_RANKING = new Integer(80);
 	private final static String USERNAME = "username";
-	
+	private final static String SELECT_ST = "select userid, password, ssn, salary from employee where userid=";
 	protected Element createContent( WebSession s )
 	{
 		return super.createStagedContent(s);
@@ -51,17 +55,36 @@ public class BackDoors extends LessonAdapter {
 			String userInput = s.getParser().getRawParameter(USERNAME, "");
 			if (!userInput.equals(""))
 			{
+				userInput = SELECT_ST + userInput;
 				String[] arrSQL = userInput.split(";");
+				Connection conn = getConnection(s);
+				Statement statement = conn.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
 				if (arrSQL.length == 2)
 				{
-					Connection conn = getConnection(s);
-					Statement statement = conn.createStatement( ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY );
 					statement.executeUpdate( arrSQL[1] );
 					
-					makeSuccess(s);
 					getLessonTracker(s).setStage(2);
 					s.setMessage("You have succeeded in exploiting the vulnerable query and created another SQL statement. Now move to stage 2 to learn how to create a backdoor or a DB worm");
 				}
+				
+				ResultSet rs = statement.executeQuery( arrSQL[0]);
+				if (rs.next())
+				{
+					Table t = new Table( 0 ).setCellSpacing( 0 ).setCellPadding( 0 ).setBorder( 1 );
+					TR tr = new TR();
+					tr.addElement( new TD("User ID"));
+					tr.addElement( new TD("Password"));
+					tr.addElement( new TD("SSN"));
+					tr.addElement( new TD("Salary"));
+					t.addElement(tr);
+					tr = new TR();
+					tr.addElement( new TD(rs.getString("userid")));
+					tr.addElement( new TD(rs.getString("password")));
+					tr.addElement( new TD(rs.getString("ssn")));
+					tr.addElement( new TD(rs.getString("salary")));
+					t.addElement(tr);
+					ec.addElement(t);
+				}
 			}
 		}
 		catch(Exception ex)
@@ -105,8 +128,8 @@ public class BackDoors extends LessonAdapter {
 				instructions = "Stage " + getStage(s) + ": Use String SQL Injection to execute more than one SQL Statement. ";
 				instructions = instructions + " The first stage of this lesson is to teach you how to use a vulnerable field to create two SQL ";
 				instructions = instructions + " statements. The first is the system's while the second is totally yours.";
-				instructions = instructions + " Try to enter something in the email field and it will get updated in the rectangle below,";
-				instructions = instructions + " to see the actual SQL statement that will be executed. Try to execute an update statement";
+				instructions = instructions + " Your account ID is 101. This page allows you to see your password, ssn and salary.";
+				instructions = instructions + "  Try to inject another update to update salary to something higher";
 				break;
 			case 2:
 				instructions = "Stage " + getStage(s) + ": Use String SQL Injection to inject a backdoor. " ;
@@ -137,7 +160,7 @@ public class BackDoors extends LessonAdapter {
 		script.append( "</STYLE>" );		
 		ec.addElement( new StringElement(script.toString()));
 			
-		ec.addElement( new StringElement( "Username: " ) ) ;
+		ec.addElement( new StringElement( "User ID: " ) ) ;
 		Input username = new Input( Input.TEXT, "username", "" );
 		ec.addElement( username  );
 				
@@ -147,7 +170,7 @@ public class BackDoors extends LessonAdapter {
 		ec.addElement(new BR());
 		
 		String formattedInput = "<span class='myClass'>" + userInput + "</span>";
-		ec.addElement( new Div("select userid, ssn, salary from employee where login=" + formattedInput ));
+		ec.addElement( new Div(SELECT_ST + formattedInput ));
 		
 		Input b = new Input();
 		
@@ -176,7 +199,12 @@ public class BackDoors extends LessonAdapter {
 	}
 
 	protected List getHints() {
-		return super.getHints();
+		List<String> hints = new ArrayList<String>();
+		hints.add( "Your user id is 101. Use it to see your information" );
+		hints.add( "A semi-colon usually ends a SQL statement and starts a new one." );
+		hints.add( "Try this 101; update employee set salary=100000" );
+		hints.add( "For stage 2, Try 101; CREATE TRIGGER myBackDoor BEFORE INSERT ON customers FOR EACH ROW BEGIN UPDATE customers SET email='john@hackme.com'WHERE userid = NEW.userid");
+		return hints;
 	}
 
 	protected Category getDefaultCategory()
diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java
index 39d09df5f..e04eb26e0 100644
--- a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java	
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/HttpSplitting.java	
@@ -79,11 +79,7 @@ public class HttpSplitting extends LessonAdapter {
 					out.print(message);	
 					out.flush();
 					out.close();
-					
-					//we gotta set it manually here so that we don't throw an exception
-					getLessonTracker(s).setCompleted(true);
-	
-					//makeSuccess( s );
+						
 					getLessonTracker(s).setStage(2);
 					
 					StringBuffer msg = new StringBuffer();
@@ -128,11 +124,11 @@ public class HttpSplitting extends LessonAdapter {
 		
 		if (getLessonTracker(s).getStage() == 1)
 		{
-			ec.addElement( new H3( "Stage 1: HTTP Splitting:<br>" ) );
+			ec.addElement( new H3( "Stage 1: HTTP Splitting:<br><br>" ) );
 		}
 		else
 		{
-			ec.addElement( new H3( "Stage 2: Cache Poisoning:<br>" ) );
+			ec.addElement( new H3( "Stage 2: Cache Poisoning:<br><br>" ) );
 		}
 		ec.addElement( new StringElement( "Search by country : " ) );
 
@@ -155,7 +151,7 @@ public class HttpSplitting extends LessonAdapter {
 		
 		try 
 		{
-			ec.addElement("Now that you have successfully performed an HTTP Splitting, now try to poison" +
+			s.setMessage("Now that you have successfully performed an HTTP Splitting, now try to poison" +
 					" the victim's cache using. Type 'restart' in the input field if you wish to " +
 					" to return to the HTTP Splitting lesson.<br><br>");
 			if ( s.getParser().getRawParameter( LANGUAGE, "YOUR_NAME" ).equals("restart"))
@@ -182,7 +178,6 @@ public class HttpSplitting extends LessonAdapter {
 					if (sdf.parse(dateStr.trim()).after(cal.getTime()))
 					{
 						makeSuccess(s);
-						getLessonTracker(s).setStage(2);
 					}
 				}
 			}
diff --git a/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html b/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html
index 1547c9100..aaa8d439a 100644
--- a/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html	
+++ b/ webgoat/main/project/WebContent/lesson_plans/BackDoors.html	
@@ -18,4 +18,5 @@ can create a trigger that would set his email address instead of every new user'
 <!-- Start Instructions -->
 * Your goal should be to learn how you can exploit a vulnerable query to create a trigger.<br>
 * You will not be able to actually create one in this lesson because the underlying database engine used with WebGoat doesn't support triggers.<br>
+* Your login ID is 101. 
 <!-- Stop Instructions -->