diff --git a/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java
new file mode 100644
index 000000000..d2cfd9f85
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/java/org/owasp/webgoat/plugin/mitigation/SqlInjectionLesson10a.java
@@ -0,0 +1,45 @@
+package org.owasp.webgoat.plugin.mitigation;
+
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.owasp.webgoat.assignments.AssignmentEndpoint;
+import org.owasp.webgoat.assignments.AssignmentPath;
+import org.owasp.webgoat.assignments.AttackResult;
+import org.owasp.webgoat.session.WebSession;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@AssignmentPath("SqlInjection/attack10a")
+@Slf4j
+public class SqlInjectionLesson10a extends AssignmentEndpoint {
+
+    @Autowired
+    private WebSession webSession;
+    // @TODO: Maybe provide regex instead of "hard coded" strings
+    private String[] results = {"getConnection", "PreparedStatement", "prepareStatement", "?", "?", "setString", "setString"};
+
+    // @TODO Method head too big, better solution?
+    @RequestMapping(method = RequestMethod.POST)
+    @ResponseBody
+    @SneakyThrows
+    public AttackResult completed(@RequestParam String field1, @RequestParam String field2, @RequestParam String field3, @RequestParam String field4, @RequestParam String field5, @RequestParam String field6, @RequestParam String field7) {
+        String[] userInput = {field1, field2, field3, field4, field5, field6, field7};
+        int position = 0;
+        boolean completed = false;
+        for(String input : userInput) {
+            if(input.toLowerCase().contains(this.results[position].toLowerCase())) {
+                completed = true;
+            } else {
+                return trackProgress(failed().build());
+            }
+            position++;
+        }
+        if(completed) {
+            return trackProgress(success().build());
+        }
+        return trackProgress(failed().build());
+    }
+}
diff --git a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
index f34037088..d618b50c9 100644
--- a/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
+++ b/webgoat-lessons/sql-injection/src/main/resources/html/SqlInjectionMitigations.html
@@ -19,6 +19,24 @@
     <div class="adoc-content" th:replace="doc:SqlInjection_content10.adoc"></div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SqlInjection_jdbc_completion.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN" method="POST" name="form" action="/WebGoat/SqlInjection/attack10a" enctype="application/json;charset=UTF-8">
+            <div>
+                <p>Connection conn = DriverManager.<input type="text" name="field1" id="field1" />(DBURL, DBUSER, DBPW);</p>
+                <p><input type="text" name="field2" id="field2" /> = conn.<input type="text" name="field3" id="field3" />("SELECT status FROM users WHERE name=<input type="text" name="field4" id="field4" /> AND mail=<input type="text" name="field5" id="field5" />");</p>
+                <p><input type="text" name="field6" id="field6" />;</p>
+                <p><input type="text" name="field7" id="field7" />;</p>
+            </div>
+            <div class="input-group" style="margin-top: 10px">
+                <button type="submit" class="btn btn-primary">Submit</button>
+            </div>
+        </form>
+    </div>
+</div>
+
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:SqlInjection_content11.adoc"></div>
 </div>
diff --git a/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc
new file mode 100644
index 000000000..6b7c19fb0
--- /dev/null
+++ b/webgoat-lessons/sql-injection/src/main/resources/lessonPlans/en/SqlInjection_jdbc_completion.adoc
@@ -0,0 +1,5 @@
+== Try it! Writing safe code
+
+You can see some code down below, but the Code is incomplete. Complete the code, so that is no longer vulnerable for an SQL Injection! Use the classes and methods you have learned before.
+
+The code has to retrieve the status of the user based on the name and the mail address of the user. Both the name and the mail are in the string format.