- Joined
- Oct 9, 2025
- Messages
- 38
SQL Injection is a code injection technique that exploits security vulnerabilities in application-database interactions. It occurs when untrusted data is incorporated into SQL queries without proper validation, sanitization, or parameterization.
Through it, attackers inject and execute unauthorized Structured Query Language (SQL) code, aiming to manipulate, retrieve, modify, or delete data.
Injection Types:
Step-by-Step Beginner's Guide
STEP 1: Find a Safe Practice Website
Don't test on real websites! Use these safe practice sites:
STEP 2: Look for Places to Test
On the practice website, look for:
STEP 3: Basic Testing in Browser Address Bar
Now try these simple tests in the URL:
Test 1: Add a single quote
What to look for:
http://testphp.vulnweb.com/listproducts.php?cat=1 OR 1=1
Test 3: Try with comments
STEP 4: Understanding What You're Doing
When you type cat=1' you're essentially breaking the SQL query:
Original SQL query:
After your input:
This causes a syntax error because of the extra quote.
STEP 5: Simple Exploitation Examples
Example 1: Show ALL products instead of just category 1
http://testphp.vulnweb.com/listproducts.php?cat=1 OR 1=1
This makes the query:
Example 2: Bypass login (if there's a login form)
This makes the query:
The -- comments out the password check!
STEP 6: Let's Practice on Safe Websites
Go to these sites RIGHT NOW and try:
Site 1: Hack This Site
Easy way to test forms:
For ANY website you're authorized to test:
Signs you found SQL injection:
Right now, open a new tab and go to:
Try these in the login form:
Or:
Or:
Important Safety Rules:
Through it, attackers inject and execute unauthorized Structured Query Language (SQL) code, aiming to manipulate, retrieve, modify, or delete data.
Key TerminologyWhy It Matters: A successful SQL injection can fully compromise a system — leaking usernames/passwords, hijacking sessions, dumping entire databases, and possibly leading to Remote Code Execution (RCE) under certain conditions.
Injection Types:
- Union-Based: Uses UNION operator to combine results
- Error-Based: Extracts data from error messages
- Boolean-Based Blind: Uses true/false responses
- Time-Based Blind: Uses timing delays to infer data
- Stacked Queries: Executes multiple queries sequentially
- Delimiter: Characters like ' or " that break query context
- Comment Operators: --, #, /* */ to ignore remaining query
- Union Operator: Combines SELECT statements
- Information Schema: Database metadata tables
- Payload: Malicious input designed to exploit vulnerability
| Term | Meaning |
| Vulnerable Parameter | An input vector susceptible to manipulation; e.g., ?id= in URLs. |
| Backend DBMS | Database Management System: PostgreSQL, MySQL, MSSQL, Oracle, SQLite. |
| In-Band vs Out-of-Band vs Blind | See below breakdown. |
| Stacked Queries | Executes multiple SQL statements separated by semicolons (;). Requires explicit support, often disabled by default. |
| UNION Query | Combines results from two or more SELECT statements, useful when retrieving extra data into visible parts of the page. |
| Error-Based Injection | Uses database-generated errors to infer schema info (database name, table/column names). |
| Boolean-Based Blind Injection | Infers truthfulness based on different behaviors (e.g., page shows content vs. not). |
| Time-Based Blind Injection | Observes delays in response to determine truth (e.g., sleep/pause in DB server). |
| Out-of-Band Injection | Requires DBMS features like xp_dirtree, LOAD_FILE, etc. Relies on DNS or HTTP callbacks. |
| Second Order Injection | Payload is injected early in the process but manifests elsewhere later (less common). |
Step-by-Step Beginner's Guide
STEP 1: Find a Safe Practice Website
Don't test on real websites! Use these safe practice sites:
- Go to: https://sqlbolt.com/ (Interactive SQL learning)
- Or: http://testphp.vulnweb.com/ (Deliberately vulnerable site)
- Or: https://hackxor.net/ (Web game with vulnerabilities)
STEP 2: Look for Places to Test
On the practice website, look for:
- Search boxes
- Product categories
- Login forms
- URLs that have ?id=1 or ?category=2
- Click on any category like "Art" or "Music"
- Look at the URL in address bar - it will look like:
XML:
http://testphp.vulnweb.com/listproducts.php?cat=1STEP 3: Basic Testing in Browser Address Bar
Now try these simple tests in the URL:
Test 1: Add a single quote
Code:
Change: http://testphp.vulnweb.com/listproducts.php?cat=1
To: http://testphp.vulnweb.com/listproducts.php?cat=1'What to look for:
- Does the page show a SQL error?
- Does the page look broken or different?
http://testphp.vulnweb.com/listproducts.php?cat=1 OR 1=1
Test 3: Try with comments
STEP 4: Understanding What You're Doing
When you type cat=1' you're essentially breaking the SQL query:
Original SQL query:
SQL:
SELECT * FROM products WHERE category = '1'After your input:
SQL:
SELECT * FROM products WHERE category = '1''This causes a syntax error because of the extra quote.
STEP 5: Simple Exploitation Examples
Example 1: Show ALL products instead of just category 1
http://testphp.vulnweb.com/listproducts.php?cat=1 OR 1=1
This makes the query:
SQL:
SELECT * FROM products WHERE category = '1 OR 1=1'Example 2: Bypass login (if there's a login form)
Code:
Username: admin'--
Password: [anything]This makes the query:
SQL:
SELECT * FROM users WHERE username = 'admin'--' AND password = 'anything'The -- comments out the password check!
STEP 6: Let's Practice on Safe Websites
Go to these sites RIGHT NOW and try:
Site 1: Hack This Site
- Visit:
HackThisSite
HackThisSite.org is a free, safe and legal training ground for hackers to test and expand their ethical hacking skills with challenges, CTFs, and more.
www.hackthissite.org
- Create a free account
- Go to "Basic Missions"
- Try the SQL injection challenges
- Visit:
GitHub - Audi-1/sqli-labs: SQLI labs to test error based, Blind boolean based, Time based.
SQLI labs to test error based, Blind boolean based, Time based. - Audi-1/sqli-labs
github.com
- (This requires setup - more advanced)
Easy way to test forms:
- Right-click on a login form
- Click "Inspect" or "Inspect Element"
- Find the <form> tag
- You can see where the data gets sent
For ANY website you're authorized to test:
- Find input fields (search, login, filters)
- Test with ' (single quote) - look for errors
- Test with " (double quote) - look for errors
- Test with 1 OR 1=1 - see if you get different results
- Test with 1' AND '1'='1 - see if it works normally
- Test with 1' AND '1'='2 - see if it breaks
Signs you found SQL injection:
Error messages mentioning "SQL", "MySQL", "Syntax error"- Different page content when using SQL commands
- Login bypass with ' OR '1'='1
- More data shown than expected
Right now, open a new tab and go to:
Try these in the login form:
Code:
Username: test
Password: test' OR '1'='1Or:
Code:
Username: admin'--
Password: [leave empty]Or:
Code:
Username: ' OR 1=1--
Password: [anything]Important Safety Rules:
- NEVER test on websites without permission
- Only use practice websites I listed above
- Real-world testing without permission is ILLEGAL
- Use this knowledge to protect your own websites
- Download SQLmap (automated tool)
- Learn about Burp Suite (intercepting requests)
- Study database structure (MySQL, PostgreSQL)
- Practice on dedicated vulnerable apps like DVWA or WebGoat