String SQL Injection

SELECT * FROM user_data WHERE last_name = 'user input'

The website automatically adds a ' at the end of your input

- Escape it by adding a comment at the end of your statement
- Enter in the input field..

' OR 1=1 --

String query = "SELECT * FROM employee WHERE userid = " + subjectUserId;

PreviousSQLi - fundamentals NextManual SQLi

Last updated 1 year ago