SQL Injection (SQLi)

SQL injection lets an attacker alter the queries an application sends to its database — leading to data theft, authentication bypass, and sometimes full server compromise.

SQL InjectionGenerate payloads Cheat SheetCopy-ready payloads Testing GuideStep by step

What it is

SQLi happens when user input is concatenated into a SQL query instead of being passed as a bound parameter. The injected syntax changes the query's logic, letting an attacker read or modify arbitrary data and, on some engines, execute commands.

How to test for it

Probe each input with a single quote and SQL meta-characters and watch for errors or behavioural changes. Confirm with boolean and time-based payloads for blind cases, then enumerate the database with UNION-based extraction where the result set is reflected.

How to prevent it

Use parameterised queries / prepared statements everywhere — never string concatenation. Apply least-privilege database accounts, validate input types, and use an ORM correctly so raw query building never reaches user input.

In-depth articles

SQL Injection Testing: From Detection to Data Extraction15 min read Solving a Multi-Stage CTF Challenge Using Only Payload Playground18 min read CTF Web Challenge Methodology: Recon, Source Review, and Exploitation Chains14 min read NoSQL Injection: MongoDB, CouchDB, and Beyond13 min read

Frequently asked questions

What is blind SQL injection?+

Blind SQLi is when the application doesn't return query results or errors directly, so you infer data from boolean (true/false) page differences or from time delays you induce.

Do prepared statements fully prevent SQL injection?+

Parameterised queries prevent injection in the data they bind. You still need care with dynamic identifiers (table/column names) and any place raw SQL is assembled.

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

$loading...