SQL Injection for Beginners – How Hackers Break into Websites

If you’ve ever logged into a website, entered your username and password, and clicked “Submit,” there’s a lot happening behind the scenes.
Your details travel from the website to a database — a place where all usernames, passwords, and other sensitive info are stored.

But here’s the scary part:
If the website isn’t built securely, a hacker can trick that database into revealing all its secrets without knowing a single password. This trick is called SQL Injection, or SQLi for short.

---

What is SQL Injection (SQLi)?

SQL Injection is a type of cyber attack where malicious code is inserted into a website’s input fields (like login forms, search bars, or even contact forms) to manipulate the database.

With the right payload (a special type of input), attackers can:

• Log in without valid credentials.

• Steal usernames, passwords, and emails.

• Modify or delete stored data.

• Even take full control of the website.

---

Setting Up the Playground

In this tutorial, the demo is done using OWASP Bricks — a purposely vulnerable web application. Think of it as a “cybersecurity lab” where you can safely practice attacks without breaking the law.

The website has different login pages, each with varying levels of protection, perfect for testing both manual and automated SQL injection techniques.

---

Manual SQL Injection – Step by Step

1. Reconnaissance (Info Gathering)

Before launching an attack, hackers often gather basic information:

• Usernames from LinkedIn, Facebook, or company websites.

• Email IDs from public directories.

This makes it easier to guess targets.

---

2. Testing the Login Form

Normally, if you enter the wrong username/password, you get:

Wrong username or password.

Behind the scenes, the site is running something like:

SELECT * FROM users WHERE name = 'Tom' AND password = 'password123';

If both values match in the database, you get in. If not, you’re rejected.

---

3. Bypassing with a Payload

Here’s where SQLi magic happens. Instead of entering a normal password, the attacker enters:

'OR '1'='1

So the query becomes:

SELECT * FROM users WHERE name = 'Tom' AND password = '' OR 1=1;

Since 1=1 is always true, the database happily logs the attacker in — without knowing the real password.

---

Using Wordlists for More Payloads

Sometimes OR 1=1 doesn’t work. Hackers then use wordlists — collections of SQL payloads — to test multiple variations until something works.

Example payloads:

• ' OR 'a'='a

• ') OR ('x'='x

• admin' --

---

Automated SQL Injection with Tools

While manual testing is great for learning, hackers (and ethical pentesters) use tools to speed things up.

Burp Suite – Catching the Request

1. Set Burp as a proxy.

2. Log into the vulnerable site.

3. Capture the login request and save it as a file.

SQLMap – Automating the Attack

Run:

sqlmap -r request.txt -p username

SQLMap then:

• Detects the database type (MySQL in this case).

• Finds injection points.

• Dumps database contents (usernames, emails, passwords).

• Cracks hashed passwords with dictionary attacks.

---

Real Demo Results

From the vulnerable site, SQLMap revealed:

• Users: admin, Tom, Harry, Ron

• Emails: tom@getmantra.com, etc.

• Passwords: Some in plain text, others cracked in seconds.

---

How to Defend Against SQLi

Protecting against SQLi isn’t rocket science, but it requires discipline:

1. Use Parameterized Queries – No direct string concatenation in SQL.

2. Validate Inputs – Only allow expected characters (e.g., no ' or -- in username fields).

3. Use a Web Application Firewall (WAF) – Block suspicious requests before they reach your site.

4. Rate Limiting – Stop repeated requests from the same IP.

5. Monitor Request Patterns – If one IP makes 400+ requests in a minute, something’s fishy.

---

Final Thoughts

SQL Injection is one of the oldest web vulnerabilities, yet it’s still one of the most dangerous. With tools like SQLMap, attacks that once took hours can now be done in minutes.

If you’re a developer, secure your input fields now.
If you’re learning cybersecurity, start with manual testing, then move to automated tools — but always in legal environments like OWASP Bricks.