← Back to Blog
Thumbnail for PortSwigger-Academy[Part-1]:SQL injection

PortSwigger-Academy[Part-1]:SQL injection

April 6, 2026 at 12:28 PM
4 min read
#SqlInjection#BugBounty#LoginBypass#HiddenDataRetrieval

📚 Table of Contents

#SectionDescription
1What is SQL Injection?Introduction to SQL injection and how it works
2Impact of Successful SQL Injection AttackWhat attackers can achieve
3How to Detect SQL Injection VulnerabilitiesMethods and tools for detection
4SQL Injection in Different Parts of the QueryWhere injections can occur
5SQL Injection ExamplesPractical attack scenarios
5.1Retrieving Hidden DataExtracting restricted data
5.2Subverting Application LogicBypassing authentication and logic

What is SQL Injection?

Sql injection (SQLi) is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. This can allow an attacker to view data that they are not normally ale to Retrieve. This might include the data that belongs to other users or any other data an application can access.

Impact of Successful SQL Injection Attack

Succcessful SQL injection attack can result in unauthorized access to sensitive data such as;

[x]-Password

[x]-Credit Card details

[x]-Personal User Information

How To Detect SQL Injection Vulnerabilities

You can detect SQL injection manually using a systemic set of tests against every entry point in the application. The single quote '. Boolean condition such as OR 1=1 and OR 1=2 and look for differences in the application response. Payloads that triggers time delays when executed within a SQL query, OAST payloads designed to trigger an out-of-band network interaction when executed within SQL query.

SQL Injection in Different Parts of the Query

Most of Sql injection vulnerability occur whithin WHERE clause of a SELECT query. commone location where SQL injection arises are in UPDATE statements, within the updated values or the WHERE clause. In INSERT , SELECT within table or column.

SQL Injection Examples

  1. Retrieving Hidden Data

ex: imagine shoping application that displays products in different categories. When user clicks on the Gifts category, their browser request url https://insecure-website.com/products?category=Gifts

This can cause the application to make a SQL query to retrieve details of relevant products from the database.

SELECT * FROM products WHERE category='Gifts' AND realeased = 1. All details (*), From the (product) table, where the "category" is Gifts

the application doesn't implement any defense against SQL injection attacks. An attacker can construct the following attack

https://insecure-website.com/products?category='Gifts'-- this result in SELECT * From products WHERE category= 'Gifts'-- And realease = 1

-- is a comment indicator in sql. this means that the rest of the query is interpreted as comment. That means the query no longer includes AND realease = 1, as result; all products are displayed. Similarly an attacker can use; https://insecure-website.com/products?category='Gifts' + OR +1=1-- which result into ** SELECT * FROM products WHERE category='Gifts' OR 1=1-- AND release=1**

LAB-01: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

in this lab i used burp-suite to perform SQL injection that result in where clause to allow retrieval of hidden data

Alt Text

In this case I wanted to check the hidden pets that are not visible, so on the url i added category=pets'+OR+1=1-- then it displayed other hidden pets.

Subverting Application Logic

Imagine an application that lets login and password. If the user submit the username (thierry) and the (password) the application checks the credentials by performing the following SQL query: SELECT * FROM users WHERE username='weiner' AND password = 'Bluechieese' if the query returns the details of a user, the the login is successful. An attacker can log in any user without the need for a password they can do using SQL comment sequence -- to remove the password check from there WHERE Clause of the query. For example, submiting the username administrator'-- and blank password result in the following query; SELECT FROM users WHERE username = 'administrator'--' AND password = ''. this query returns user whose name is administrator and successfully logs the attacker as the user

LAB-02: SQL injection vulnerability allowing login bypass

Alt Text

In this lab I bypassed login function with an SQL injection. The application requires Username and Password. so what i did was to login with administrator'-- as username and '' as password to completely bypass login function.

Reflection

I had an amazing blast while doing this; this is the part one. Many more series to come on the way. this is 1/60. The following work is to read a book ** Bugbounty Bootcamp** and continue with portswigger tomorrow in the morning.

Thank you

Thierry