Structured Query Language (SQL) is the standard language for interacting with relational databases. Nearly every web application you use — from social media to online banking — stores its data in a database and retrieves it using SQL.
Every time you search for a product, log in, or view your profile, queries like these execute behind the scenes.
Here is the dangerous pattern. A developer needs to look up a product by name. They write server-side code like this:
The variable user_input comes directly from whatever the user typed into the search box. The developer assumes users will type something innocent like router. But what if they type something with special SQL characters?
In SQL, single quotes (') delimit strings. When your input contains a single quote, you escape the string context and start writing raw SQL. The database cannot tell the difference between the developer's query and your injected code. This is the fundamental vulnerability.
The injected single quote closes the original string. Then OR '1'='1' makes the condition always true. The -- comments out the rest of the query. Result: every row is returned.
SQL injection was first publicly described in 1998 by security researcher Jeff Forristal. Since then it has been the #1 or #2 web vulnerability in every OWASP Top 10 list from 2003 through 2021. Despite being well-understood, it persists because developers continue to concatenate user input directly into queries.
You are visiting Acme Corp's online store. The product search page lets customers search by product name. The server builds a SQL query using whatever you type into the search box.
First, try a normal search (like router) and observe how the query is built. Then, type just a single quote (') and observe what happens to the query structure. Understanding how your input becomes part of the SQL is the first step to exploiting it.
router and click Execute. Notice how it slots neatly into the LIKE clause.' (a single quote). Look at the generated query — the string delimiters are now mismatched. This is a syntax error that tells you injection is possible.
Same Acme Corp product search. Now that you understand how the query is built, your goal is to craft input that makes the database return all products, not just those matching your search.
Inject SQL into the search box that causes the query to return all 6 products in the database. You need to escape the string context and add a condition that is always true.
', (2) add OR with a condition that is always true, (3) comment out the remaining SQL with --.%' OR '1'='1' -- %' OR 1=1 --
Acme Corp also has an internal employee directory. The page lets managers look up employees by department name using an exact-match query (not LIKE).
Enter a department lookup that returns all 5 employees regardless of their actual department. The query uses = instead of LIKE, so your approach will be slightly different.
', then add a tautology (always-true condition).' OR '1'='1' OR 1=1 --' OR ''='Engineering' OR '1'='1