Prerequisites
Basic SQL: SELECT, WHERE, UNION, comments (--). How web forms send data to backend. HTTP POST requests. Browser DevTools Network tab.
Classic login bypass
Payload: ' OR 1=1 -- in username field. If the backend builds SELECT * FROM users WHERE username='$input', your input breaks out of the string and forces a true condition.
UNION-based injection
Append UNION SELECT to extract data from other tables. Find column count with ORDER BY or UNION SELECT NULL. Extract usernames and password hashes from information_schema or known table names.
Blind SQL injection
When errors are hidden, infer data via boolean conditions (page differs if true vs false) or time delays (SLEEP(5)). Harder but common in real apps.
Practice on Cyfotok
Start with easy SQLi lab — Tanglish tutorial walks through each step on a live login form. Progress to medium blind SQLi labs.