SQL Injection Playground

SQL Injection (SQLi) is one of the most prevalent and dangerous web vulnerabilities. This playground lets you experiment with a simulated vulnerable application backed by an in-memory database. Type real payloads, watch how the query is assembled, and observe the consequences - all without touching a real server. The final example demonstrates how parameterized queries neutralize every attack.

Educational use only. The techniques shown exist to help understand and prevent SQL injection. Never attempt SQLi against systems you do not own or have explicit permission to test.

Simulated Database Schema

users

id INT PK

usernameVARCHAR

emailVARCHAR

password_hashVARCHAR

roleVARCHAR

credit_cardVARCHAR

products

id INT PK

nameVARCHAR

descriptionVARCHAR

priceDECIMAL

categoryVARCHAR

orders

id INT PK

user_idINT FK

product_idINT FK

quantityINT

totalDECIMAL

statusVARCHAR

Attack Ex 1 - Login Bypass

The application builds this query by directly concatenating user input:
SELECT * FROM users WHERE username = 'USER' AND password_hash = 'PASS'

Try inserting a tautology to make the WHERE clause always true, or use a comment to cut off the password check entirely. Classic payloads:

Payload suggestions - click to fill admin (normal) admin'-- ' OR '1'='1 ' OR 1=1-- '; DROP TABLE users;-- UNION dump

Username

Password

Constructed SQL Query

–

Database Response

Attack Ex 2 - UNION-Based Data Extraction

The product search page runs: SELECT id, name, description, price, category FROM products WHERE name LIKE '%SEARCH%'

A UNION SELECT appends a second query to the results. As long as it returns the same number of columns, the database will merge the output - leaking data from any other table, including users.

Payload suggestions - click to fill laptop (normal) ' OR '1'='1 (all rows) UNION users (5 cols) UNION credit cards DROP orders (piggyback)

Search products

Constructed SQL Query

–

Database Response

Inferential Ex 3 - Error-Based Schema Enumeration

This endpoint fetches a product by numeric ID - the input is inserted without quotes because "it's just a number": SELECT * FROM products WHERE id = ID

By injecting a type-conversion expression, an attacker can force the database to emit an error message that inadvertently reveals table names, column names, or even row values from other tables.

Payload suggestions - click to fill 1 (normal) 1 AND 1=2 (false → no row) CONVERT error (leak username) CONVERT error (leak card) UPDATE (privilege escalation)

Product ID

Constructed SQL Query

–

Database Response

Ex 4 - Blind Time-Based Injection

Sometimes an application reveals nothing - no results, no errors, only a silent success or failure. The attacker can still extract information by measuring response time. If the condition is true, the database sleeps and the page loads slowly; if false, it responds instantly.

Query: SELECT COUNT(*) FROM users WHERE username = 'USER'

Payload suggestions - click to fill alice (normal, fast) nobody (no match, fast) admin exists → SLEEP(3) nobody → no sleep (false) always true → SLEEP(5)

Username

Constructed SQL Query

–

Database Response

Defense Ex 5 - Parameterized Queries

The fix is simple and reliable: never concatenate user input into SQL. Use parameterized queries (also called prepared statements). The database engine receives the SQL structure separately from the data - so injection is structurally impossible regardless of what the user types.

Try any payload - click to apply to both forms admin (normal) admin'-- ' OR '1'='1 UNION dump

⚠ Vulnerable - String Concatenation

Username

Password

Constructed SQL

–

Waiting for execution…

✓ Safe - Parameterized Query

Username

Password

Parameterized SQL

–

Waiting for execution…