Almost every website stores data somewhere — usernames, passwords, orders.
That "somewhere" is a database, and websites talk to it using a language called SQL.
💡
Simple way to think about it:
Imagine the database is a giant table in Excel. SQL is how the website asks it questions like — "Give me all users where username is admin."
🔐 How Does Login Work?
When you log in, the website runs a query like this:
SELECT * FROM users
WHERE username = 'admin'AND password = 'mypassword';
If the database finds a matching row → ✅ you're in. If not → ❌ wrong password.
🔄 Normal Login Flow
👤 You type
→
📝 Form
→
⚙️ SQL Query
→
🗄️ DB checks
→
✅ Login OK
💉 What is SQL Injection?
Some websites take your input and paste it directly into the SQL query — no checking, no filtering.
What if you typed something sneaky that changes the entire meaning of the query?
⚡
The magic payload — try this as your username:' OR '1'='1' --
💀 What Happens to the SQL Query
SELECT * FROM users WHERE
username = '' OR '1'='1' --'
AND password = 'anything';
↑ The ' breaks out of the string — query is now open↑ OR '1'='1' is always TRUE — so ALL users match↑ -- is a SQL comment — password check is deleted
🚨 Injected Login Flow
💀 Payload
→
📝 Form
→
⚠️ Broken Query
→
🗄️ All match!
🔓 Login bypassed — no valid password needed!
🛡️ How Is It Fixed?
The fix is simple — never put user input directly into SQL. Use Prepared Statements:
❌ Vulnerable
"SELECT * FROM users WHERE user='$input'"
✅ Safe
prepare( "WHERE user=?" )->execute([$input])
🎯
Now go try it yourself!
Go to the Simulator tab on the right. Your mission: bypass the SecureBank login without knowing any password!
🎯
Your Mission Bypass the SecureBank login without knowing any valid username or password.
1
Try a normal login first
Go to the Simulator. Try username admin and password wrongpass. See what a normal failed login looks like.
2
Watch the live SQL query
As you type in the username field, watch the SQL Query Panel update in real time. See how your input gets inserted directly into the query.
3
Inject the payload
In the username field type: ' OR '1'='1' -- Put anything in the password. Hit Login and watch the magic happen!
4
Submit the flag
After bypassing login a 🚩 flag appears. Copy it and paste it into the flag box below the Simulator to complete the lab!
💡
Try it yourself first! Only reveal hints if you're genuinely stuck. Struggling is how you actually learn.
Type just a single quote ' in the username field and watch what happens to the SQL query panel. That one character is the key to everything.
After the single quote, add OR '1'='1'. Since 1 always equals 1, this condition is always TRUE — making the database return all users.
Add -- at the end. In SQL, -- starts a comment so the database ignores everything after it — including the password check!
Type this exactly in the username field:
' OR '1'='1' --
Put anything in the password and click Login.
⚠️
Attempt it first! Only check the solution after you've genuinely tried. You learn way more from the struggle.