Day 13: SQL Injection Explained β From First Quote to Finding the Vulnerability (2026)
π° Originally published on SecurityElites β the canonical, fully-updated version of this article.
DAY 13 OF 100 PHASE 2: WEB SECURITY
π’ Day 13 β SQL Injection Tutorial
Day 100 β Professional Pentester
βοΈ Authorisation required: All SQL injection testing in this lesson is performed exclusively on DVWA running in your own lab environment β a deliberately vulnerable application designed for this exact purpose. Attempting these techniques against any production system, website, or service you do not own or have explicit written permission to test is illegal under computer crime laws in every jurisdiction. Security professionals carry written scope agreements for every engagement.
13
A single apostrophe. One character. Thatβs how this vulnerability begins. A developer builds a login form, connects it to a database, and passes the username directly into a SQL query without thinking about what happens if the user types something unexpected. The attacker types something unexpected β and suddenly the database is answering questions it was never meant to answer.
SQL injection has been on the OWASP Top 10 since 2003. Itβs been responsible for some of the largest data breaches in history. And itβs still being found in new code every single day. Today youβll understand exactly why β not from memorised rules, but from understanding how databases and queries work at a fundamental level.
SQL injection sits at #3 on the OWASP Top 10 β under the broader βInjectionβ category. Itβs the vulnerability that gave attackers the LinkedIn passwords of 117 million users, the Adobe credentials of 153 million accounts, and the card data of 40 million Target customers. Understanding it is not optional for anyone working in web application security.
π Day 13 Contents
- How Databases & SQL Queries Work
- Why SQL Injection Happens
- The Single Quote Test β First Step
- Types of SQL Injection
- Error-Based SQLi in Burp Repeater
- UNION-Based SQLi Explained
- Blind SQL Injection
- sqlmap β Automating Detection
- Prevention β Parameterised Queries
- Day 13 Practical Task
How Databases & SQL Queries Work β The Foundation
To understand SQL injection you first need to understand what a SQL query actually is and how an application builds one. Most web applications store their data β user accounts, posts, products, orders β in a relational database like MySQL, PostgreSQL, or MSSQL. The application retrieves data by sending SQL (Structured Query Language) queries to the database.
A typical login query β how most developers write it
The users table in the database
βββββββ¬βββββββββββ¬βββββββββββββββββββββββββββββββββββββββ β id β username β password_hash β βββββββΌβββββββββββΌβββββββββββββββββββββββββββββββββββββββ€ β 1 β admin β 5f4dcc3b5aa765d61d8327deb882cf99 β β 2 β alice β 0d107d09f5bbe40cade3de5c71e9e9b7 β βββββββ΄βββββββββββ΄βββββββββββββββββββββββββββββββββββββββ
PHP code building the login query (VULNERABLE pattern)
$username = $_POST[βusernameβ]; // Gets from login form $password = $_POST[βpasswordβ]; $query = βSELECT * FROM users WHERE username = β$usernameβ AND password = β$password'β;
What the query looks like with NORMAL input:
username = admin β WHERE username = βadminβ AND password = ββ¦β
Database checks if admin exists with that password. Fine.
What the query looks like with MALICIOUS input:
username = adminββ β WHERE username = βadminβββ AND password = ββ¦β
The β comments out everything after it
The password check is gone. βadminβ logs in without a password.
The critical point: the developer intended '$username' to be a string value inside the query. The apostrophes were meant to delimit the string. But when the attacker includes their own apostrophe in the input, they break out of the string context and enter the SQL command context. Now theyβre writing SQL, not just providing data.
Why SQL Injection Happens β The Root Cause
SQL injection is not a subtle bug. Itβs a fundamental category error: the application fails to maintain the distinction between code (the SQL structure) and data (user input). When these two things are mixed together in a string concatenation, user data can be interpreted as code.
β VULNERABLE β String Concatenation query = βSELECT * FROM users WHERE id = β + user_id User data is inserted directly into the SQL string. The database cannot tell where the developerβs code ends and the userβs input begins.
β SAFE β Parameterised Query query = βSELECT * FROM users WHERE id = ?β execute(query, [user_id]) SQL structure is sent separately from data. The database treats user_id as pure data, never as SQL code. Injection is structurally impossible.
The Single Quote Test β How Testers Identify SQLi
In an authorised penetration test, the first thing a tester does to check for SQL injection is also the simplest: submit a single apostrophe ' into every input field that might reach a database query. If the application is vulnerable and doesnβt handle it properly, one of several things happens β and each response tells you something different.
What different responses to a single quote mean β in Burp Repeater
DVWA SQL Injection page β normal request
GET /dvwa/vulnerabilities/sqli/?id=1&Submit=Submit Response: First name: admin Surname: admin
Inject a single quote
GET /dvwa/vulnerabilities/sqli/?id=1β&Submit=Submit
Possible responses and what each means:
Response A: SQL error message visible
You have an error in your SQL syntaxβ¦ near β1ββ at line 1
β Error-based SQLi confirmed. Quote broke the query structure.
Response B: Application error, no SQL detail
500 Internal Server Error / βSomething went wrongβ
β Likely vulnerable but errors suppressed. Try blind techniques.
Response C: Different output (fewer/more results)
User ID exists in the database. β vs no output for id=1β²
β Boolean-based blind SQLi. Application behaves differently.
Response D: Same output as without the quote
First name: admin Surname: admin β same as before
β Input might be sanitised, or numeric (quotes not relevant)
β Try: id=1 OR 1=1β or id=1 AND 1=2 (no quotes needed)
π Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites β
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
