Now that you understand how SQL injection works, let us examine the four foundational attack patterns that form the basis of every SQLi exploitation.
A tautology is a statement that is always true. By injecting OR 1=1 into a WHERE clause, you make the entire condition evaluate to true for every row. This is the most common way to bypass authentication or dump entire tables.
SQL comments (-- or #) truncate the rest of the query. This is devastating when combined with a known username because it removes the password check entirely.
When the injection point is a numeric field (like an ID), the value is not wrapped in quotes. This means you do not even need to escape a string — you can inject SQL directly without a leading single quote.
The LIKE operator uses % as a wildcard (match anything). By injecting wildcards and tautologies into LIKE-based searches, you can match every row regardless of the intended filter.
Acme Corp's employee portal has a login form. The server checks credentials by running a SQL query that matches both username and password. If the query returns any rows, the user is authenticated.
Log in to Acme Corp without knowing any password. Use a tautology attack in the username field to make the WHERE clause always true.
' OR '1'='1' -- -- comments out AND password='...', and OR '1'='1' makes the WHERE always true.
Same Acme Corp login form. This time, your goal is more specific: log in as the admin user. You know the username is admin but you do not know the password.
Log in as the admin user specifically. The lab will only accept a solution that authenticates you as admin (role = "admin"). Use SQL comments to eliminate the password check.
admin' -- as the username, the query becomes:WHERE username='admin' -- ' AND password='...'-- is a comment. The password check vanishes completely. The query now only checks if username = 'admin'.
Acme Corp's order tracking page lets customers look up orders by ID. The developer used a numeric parameter without quotes, assuming only numbers would be entered.
The input is numeric — no quotes surround it. Exploit this to return all orders in the database, not just your own. You do not need a single quote for this one.
1 OR 1=1WHERE id = 1 OR 1=1 — true for every row.
Acme Corp's product page lets you browse by category using a LIKE search. The category filter is supposed to narrow results, but you can use it to see everything.
Return all 6 products from every category. The LIKE clause uses wildcards — find a way to make it match everything.
%' OR '1'='1' -- — close the string, add tautology, comment out the rest.%' OR 1=1 -- %% wrapper. If that returns all rows, you may not even need injection. (It will, since % matches everything!)