Lab environment
Each SQLi lab spins up an isolated web app with intentional SQL concatenation bugs. Your browser connects to the sandbox — no local setup.
Exercise progression
Easy: classic ' OR 1=1 -- login bypass. Medium: UNION SELECT column enumeration and data dump. Hard: blind boolean/time-based extraction.
Tools needed
Browser and DevTools for starters. Burp Suite optional for intercepting requests. Tutorial shows raw payloads first.
After the lab
Write a 3-sentence summary: vulnerability, payload, fix (parameterized queries). Add to portfolio.