SQL Injection for Beginners

When we develop a web application we have to consider high about security. Because clients are expecting to protect their privacy. Meaning of the topic is, it says ‘injection’ and ‘SQL’. We are using MySQL to practice and injection means we are going to insert some bad queries.


This could be fun at all and have to remember use these techniques for only education purpose. Don’t harm anyone. This is for basic understanding only. Actual injections can be more difficult and have more to learn.

What we should know

HTML basic knowledge (forms, buttons)

PHP basic knowledge (connect to database, insert queries)

MySQL (simple insert and select quaries)

Tools we need

XAMPP or WAMP. We want to run PHP and MySQL

Text editor to write code


According to Wikipedia “SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution”


Step 1 – identify requirements

We have to create a web application to test SQL injection. It need

  • Enter username
  • Enter password
  • Submit button
  • Message display that user name and password match or mismatch
  • Display query that goes to MySQL


I am using single index.php file to do all things (HTML form and PHP database codes). Code is explained with pictures. Complete code can be found bottom of the article or download from GitHub gist. There should be more error messages in general PHP code. I remove some to minimize the code and better understanding.


Step 2 – database

Create database and tables. These are my database and table. Create them as you wish. Key point is there should be a columns to save username and password.

Database name: testsql


Table name: testable

Table structure:

uid (user id ) – int, auto increment, primary key

user- varchar(20)

pass– varchar(20)


Create users. Create them as you wish with phpMyAdmin


Step 3 – coding

Password field in HTML we use type=”password”. With this characters are not visible. Instead of password we use text type=”text”. With this we can see what we are typing.



User Name :
Password :


Database connection credentials

db users

$servername = "localhost";
$username = "root";
$password = "";
$dbname = "testsql";

Variables for get username and password from HTML form


@$user_name=$_GET['un'];//variable for get username from html form
@$pass_word=$_GET['pw'];//variable for get password from html form

Create connection


// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());

Query to check username and password


//query to check username and password
$sql = "SELECT * FROM testtable WHERE user='$user_name' AND pass='$pass_word'";

Checking matching username and password. If found display “login ok” else it displays “username and password error”


if (mysqli_query($conn, $sql)) {

//checking username and password
$un_and_pass_check=mysqli_query($conn, $sql);

//if there is a match it will return 1

//if there is a match display login ok
echo ”


if ($check) {
echo “login ok”;

//user name and password do not match display error
echo “username and password error”;
else {
echo “Error: ” . $sql . ”
” . mysqli_error($conn);


Display the complete query. In general web application we don’t show inside queries to users. But in hear it is education and this is the most important point in learning SQL injection.


//preview mysql query for better analysis
echo "<b>preview mysql query</b>

echo $sql;

It is the end of describing code. Bellow you can find complete code. If you have trouble with copy and paste download code from GitHub gist.


Step 4 – testing

Test your code if it is working. Enter correct username and password. It should display “login ok”. If they do not match display “username and password error”.

Query also want to be displayed. It is like.

SELECT * FROM testtable WHERE user=’abc’ AND pass=’def’

Our code should be working as intended. Without that we cannot test SQL injection.

Step 5 – injection

Now everything is finished and want to log in without knowing password. We have to know the user name (can be email address).

Lets take correct query that log to account. As I entered in database there are correct user name and password combination (admin , pass123) . Try to login with these credentials. Look at the query. It says

login ok

SELECT * FROM testtable WHERE user=’admin’ AND pass=’pass123′


Think carefully what if we type admin is username field and


In password field

We got it right. It says login ok


Carefully look at the query

SELECT * FROM testtable WHERE user=’admin’ AND pass=‘or’1’=’1

Lets take the things around the AND


If we use AND both sides want to be true. User name and password want to be true.



Lets take the things around the OR



If we use OR one side want to be true. It can be heart or cross, or both.



It says password should be blank (this is incorrect. There are no blank passwords) OR 1=1 want to be true. 1=1 is true (because one is one). Whatever the one side is true in OR gate. So pass=or‘1’=’1′ part is true.

Lets take all things together.

OR gate is true (one side is true then output is true)

AND gate is true (we know the username and or gate output is true)

Because of that the query output is true. Now you are logged into system successfully.



In hear there are red color 2 commas.  One is after = and last comma. Those are come with the PHP query that you have written. The things inside of that 2 commas are the things what we typed. We have to think what the punctuation marks in PHP query are. Then we can do the complete injection. Punctuation marks want to be match and balance.

Further reading:SQL Injection Attacks and Defense, Second Edition 2nd Edition by Justin Clarke


2 thoughts on “SQL Injection for Beginners

  • December 16, 2015 at 4:16 pm

    great work. it is more helpful for web developers.

  • December 18, 2015 at 9:38 am

    Very good… You should keep writing, these techi stuff malli…


Leave a Reply

Your email address will not be published. Required fields are marked *