$loading...
An SQL injection (SQLi) payload is input crafted to break out of a query's intended syntax and inject attacker-controlled SQL, letting you read, modify, or dump database contents. Classic tests include a single quote to trigger an error and ' OR '1'='1 to bypass authentication. The SQL Injection generator tailors payloads per database engine.
Each engine differs in syntax and functions, so select your target in the generator. MySQL uses -- comments and version() with UNION SELECT; PostgreSQL uses string concatenation with || and pg_sleep() for time-based tests; MSSQL uses WAITFOR DELAY and stacked queries with semicolons. Matching the dialect avoids wasted error-only probes.
Union-based SQLi appends UNION SELECT to pull data directly into the response and needs a matching column count. Error-based extracts data through verbose DB error messages. Blind SQLi infers results when no output is shown, either boolean-based by comparing true/false responses or time-based using sleep functions to measure delays.
Yes. The SQL Injection generator is free and runs entirely in your browser, so your target details and payloads stay on your machine and are never sent to a server. Only use it against databases and applications you are authorized to test, such as your own labs, pentest scopes, or CTFs.