diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
index ee6dab42a..d62a73865 100644
--- a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallenge.java
@@ -3,7 +3,6 @@ package org.owasp.webgoat.plugin.advanced;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.RandomStringUtils;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.owasp.webgoat.session.DatabaseUtilities;
@@ -11,14 +10,11 @@ import org.owasp.webgoat.session.WebSession;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.PutMapping;
-import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 import java.sql.*;
 
-import static org.springframework.web.bind.annotation.RequestMethod.POST;
-
 /**
  * @author nbaars
  * @since 4/8/17.
@@ -26,12 +22,11 @@ import static org.springframework.web.bind.annotation.RequestMethod.POST;
 @AssignmentPath("SqlInjection/challenge")
 @AssignmentHints(value = {"SqlInjectionChallenge1", "SqlInjectionChallenge2", "SqlInjectionChallenge3"})
 @Slf4j
-@AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
 public class SqlInjectionChallenge extends AssignmentEndpoint {
 
     private static final String PASSWORD_TOM = "thisisasecretfortomonly";
     //Make it more random at runtime (good luck guessing)
-    private static final String USERS_TABLE_NAME = "challenge_users_6" + RandomStringUtils.randomAlphabetic(16);
+    static final String USERS_TABLE_NAME = "challenge_users_6" + RandomStringUtils.randomAlphabetic(16);
 
     @Autowired
     private WebSession webSession;
@@ -49,22 +44,26 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
             Connection connection = DatabaseUtilities.getConnection(webSession);
             checkDatabase(connection);
 
-            String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'";
-            Statement statement = connection.createStatement();
-            ResultSet resultSet = statement.executeQuery(checkUserQuery);
+            try {
+                String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'";
+                Statement statement = connection.createStatement();
+                ResultSet resultSet = statement.executeQuery(checkUserQuery);
 
-            if (resultSet.next()) {
-                attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build();
-            } else {
-                PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO " + USERS_TABLE_NAME + " VALUES (?, ?, ?)");
-                preparedStatement.setString(1, username_reg);
-                preparedStatement.setString(2, email_reg);
-                preparedStatement.setString(3, password_reg);
-                preparedStatement.execute();
-                attackResult = success().feedback("user.created").feedbackArgs(username_reg).build();
+                if (resultSet.next()) {
+                    attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build();
+                } else {
+                    PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO " + USERS_TABLE_NAME + " VALUES (?, ?, ?)");
+                    preparedStatement.setString(1, username_reg);
+                    preparedStatement.setString(2, email_reg);
+                    preparedStatement.setString(3, password_reg);
+                    preparedStatement.execute();
+                    attackResult = success().feedback("user.created").feedbackArgs(username_reg).build();
+                }
+            } catch(SQLException e) {
+                attackResult = failed().output("Something went wrong").build();
             }
-        }
-        return attackResult;
+            }
+            return attackResult;
     }
 
     private AttackResult checkArguments(String username_reg, String email_reg, String password_reg) {
@@ -77,34 +76,17 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
         return null;
     }
 
-    @RequestMapping(method = POST)
-    @ResponseBody
-    public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
-        Connection connection = DatabaseUtilities.getConnection(webSession);
-        checkDatabase(connection);
-
-        PreparedStatement statement = connection.prepareStatement("select password from " + USERS_TABLE_NAME + " where userid = ? and password = ?");
-        statement.setString(1, username_login);
-        statement.setString(2, password_login);
-        ResultSet resultSet = statement.executeQuery();
-
-        if (resultSet.next() && "tom".equals(username_login)) {
-            return success().build();
-        } else {
-            return failed().feedback("NoResultsMatched").build();
-        }
-    }
-
-    private void checkDatabase(Connection connection) throws SQLException {
+    static void checkDatabase(Connection connection) throws SQLException {
         try {
             Statement statement = connection.createStatement();
+            System.out.println(USERS_TABLE_NAME);
             statement.execute("select 1 from " + USERS_TABLE_NAME);
         } catch (SQLException e) {
             createChallengeTable(connection);
         }
     }
 
-    private void createChallengeTable(Connection connection) {
+    static void createChallengeTable(Connection connection) {
         Statement statement = null;
         try {
             statement = connection.createStatement();
@@ -134,6 +116,5 @@ public class SqlInjectionChallenge extends AssignmentEndpoint {
             log.error("Unable create table", e);
         }
     }
-
 }
 
diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java
new file mode 100644
index 000000000..05816c434
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/advanced/SqlInjectionChallengeLogin.java
@@ -0,0 +1,48 @@
+package org.owasp.webgoat.plugin.advanced;
+
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.RandomStringUtils;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentHints;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.DatabaseUtilities;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+import java.sql.*;
+
+import static org.springframework.web.bind.annotation.RequestMethod.POST;
+
+@AssignmentPath("SqlInjection/challenge_Login")
+@Slf4j
+@AssignmentHints(value ={"SqlInjectionChallengeHint1", "SqlInjectionChallengeHint2", "SqlInjectionChallengeHint3", "SqlInjectionChallengeHint4"})
+public class SqlInjectionChallengeLogin extends AssignmentEndpoint {
+
+  @Autowired
+  private WebSession webSession;
+
+
+  @RequestMapping(method = POST)
+  @ResponseBody
+  public AttackResult login(@RequestParam String username_login, @RequestParam String password_login) throws Exception {
+    System.out.println("right Method");
+    Connection connection = DatabaseUtilities.getConnection(webSession);
+    SqlInjectionChallenge.checkDatabase(connection);
+
+    PreparedStatement statement = connection.prepareStatement("select password from " + SqlInjectionChallenge.USERS_TABLE_NAME + " where userid = ? and password = ?");
+    statement.setString(1, username_login);
+    statement.setString(2, password_login);
+    ResultSet resultSet = statement.executeQuery();
+
+    if (resultSet.next()) {
+        return ("tom".equals(username_login)) ? success().build()
+                : success().feedback("ResultsButNotTom").build();
+    } else {
+      return failed().feedback("NoResultsMatched").build();
+    }
+  }
+}
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
index 0a0861814..278a56c2a 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionAdvanced.html
@@ -83,7 +83,7 @@
                                 <div class="col-lg-12">
                                     <form id="login-form" class="attack-form" accept-charset="UNKNOWN"
                                           method="POST" name="form"
-                                          action="SqlInjection/challenge"
+                                          action="SqlInjection/challenge_Login"
                                           enctype="application/json;charset=UTF-8" role="form">
                                         <div class="form-group">
                                             <input type="text" name="username_login" id="username4" tabindex="1"
@@ -162,7 +162,7 @@
 </div>
 
 <div class="lesson-page-wrapper">
-    <span id="quiz_id" data-quiz_id="sql_injection"></span>
+    <span id="quiz_id" data-quiz_id="sql_incjection"></span>
     <script th:src="@{/js/quiz.js}" language="JavaScript"></script>
     <link rel="import" type="application/json" th:href="@{/lesson_js/questions.json}"/>
     <div class="adoc-content" th:replace="doc:SqlInjection_quiz.adoc"></div>
diff --git a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
index 57b72281e..6a8262240 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties
@@ -8,6 +8,7 @@ SqlInjectionChallenge2=The vulnerability is on the register form
 SqlInjectionChallenge3=Use tooling to automate this attack
 sql-injection.error=<span class='feedback-negative'>Sorry, this solution is not correct. Try again!</span>
 NoResultsMatched=<span class='feedback-negative'>No results matched. Try Again.</span>
+ResultsButNotTom=<span class='feedback-negative'>Try To login as Tom!</span>
 
 sql-injection.2.success=<span class='feedback-positive'>You have succeeded!</span>
 sql-injection.2.failed=<span class='feedback-negative'>Something went wrong! You got no results, check your SQL Statement and the table above.</span>