added hints to sql injection assignment 4 & 5, minor text changes to be consistent to other assignments

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson4.java

@@ -46,7 +46,7 @@ import java.sql.*;
  * @created October 28, 2003
  */
 @AssignmentPath("/SqlInjection/attack4")
-@AssignmentHints(value = {"SqlStringInjectionHint4a1", "SqlStringInjectionHint4a2"})
+@AssignmentHints(value = {"SqlStringInjectionHint4a1", "SqlStringInjectionHint4a2", "SqlStringInjectionHint4a3"})
 public class SqlInjectionLesson4 extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST)

webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/introduction/SqlInjectionLesson5.java

@@ -46,7 +46,7 @@ import java.sql.*;
  * @created October 28, 2003
  */
 @AssignmentPath("/SqlInjection/attack5")
-@AssignmentHints(value = {"SqlStringInjectionHint5a1", "SqlStringInjectionHint5a2"})
+@AssignmentHints(value = {"SqlStringInjectionHint5a1"})
 public class SqlInjectionLesson5 extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST)

webgoat-lessons/sql-injection/src/main/resources/i18n/WebGoatLabels.properties

@@ -33,6 +33,10 @@ SqlStringInjectionHint2a1=You want the data from the column with the name depart
 SqlStringInjectionHint2a2=SELECT column FROM tablename WHERE condition;
 SqlStringInjectionHint3a1=Try the UPDATE statement
 SqlStringInjectionHint3a2=UPDATE tablename SET columnname=value WHERE condition;
+SqlStringInjectionHint4a1=ALTER TABLE alters the structure of an existing database
+SqlStringInjectionHint4a2=Don't forget the data type of the new column (e.g. varchar(size) or int(size))
+SqlStringInjectionHint4a3=ALTER TABLE tablename ADD columnname data type(size);
+SqlStringInjectionHint5a1=Look at the example. There's everything you'll need.
 SqlStringInjectionHint6=Try Appending a new SQL Statement to the Query.
 SqlStringInjectionHint7=The new SQL Statement can be really simple like: SELECT ... FROM ...
 SqlStringInjectionHint8=Your new SQL Query should start, with a " ; " and end with " -- "

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content2.adoc

@@ -12,10 +12,10 @@ If an attacker uses a SQL injection of the DML type to manipulate your database,
 * DELETE - Delete all records from a database table
 * Example:
 ** Retrieve data:
-** SELECT Phone  +
-   FROM Employees +
-   WHERE IdNum = 1354;
-** This statement delivers the phone number of the employee with the number 1354.
+** SELECT phone  +
+   FROM employees +
+   WHERE userid = 96134;
+** This statement delivers the phone number of the employee with the userid 96134.
 
 === It's your turn!
 Try to change the department of Tobi Barnett to 'Sales'.

webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_introduction_content3.adoc

@@ -10,7 +10,7 @@ If an attacker uses a SQL injection of the DDL type to manipulate your database,
 * ALTER - alters the structure of the existing database
 * DROP - delete objects from the database
 * Example:
-** CREATE TABLE Employees( +
+** CREATE TABLE employees( +
        userid varchar(6) not null primary key, +
        first_name varchar(20), +
        last_name varchar(20), +