SQL Injection Simulator

📚 What is SQL Injection?

SQL Injection (SQLi) is a code injection technique where an attacker inserts malicious SQL code into application queries. This can allow attackers to:

Bypass authentication and authorization
Extract, modify, or delete database data
Execute administrative operations on the database
In some cases, execute commands on the operating system

Note: This is a pure frontend simulator. No real database is involved. The simulator shows what would happen if these queries were executed.

🧪 Mock Login Form

Username:

Password:

Query Analysis:

💡 Try These SQL Injection Payloads

Enter these in the username or password field:

Authentication Bypass:
' OR '1'='1

Comment-based Bypass:
admin'--

OR with Comments:
' OR 1=1--

                UNION Attack:

                ' UNION SELECT username, password FROM users--

                Dangerous Query:

                '; DROP TABLE users--

🔍 Understanding the Vulnerability

Vulnerable Code (Backend):

                
// ❌ VULNERABLE: String concatenation in SQL query

const query = "SELECT * FROM users WHERE username='" + username + "' AND password='" + password + "'";

db.execute(query);

The problem: User input is directly concatenated into the SQL query without sanitization, allowing attackers to modify the query logic.

Secure Code (Parameterized Query):

                
// ✅ SECURE: Using parameterized queries/prepared statements

const query = "SELECT * FROM users WHERE username=? AND password=?";

db.execute(query, [username, password]);

// ✅ SECURE: Using ORM (e.g., in Node.js with Sequelize)

User.findOne({ where: { username: username, password: password } });

🎯 How SQL Injection Works

When you enter: ' OR '1'='1 as username

The query becomes:


SELECT * FROM users WHERE username='' OR '1'='1' AND password='anything'

Since '1'='1' is always TRUE, the OR condition makes the entire WHERE clause TRUE, bypassing authentication and returning all users!

⚠️ Real-World Impact

Authentication Bypass: Login as any user without knowing password
Data Theft: Extract entire database contents
Data Manipulation: Modify or delete records
Privilege Escalation: Gain admin access
System Compromise: Execute OS commands (in advanced cases)
DoS Attacks: Crash database or application

🔒 Prevention Techniques

Parameterized Queries: Use prepared statements (BEST defense)
Stored Procedures: Use database stored procedures with parameters
Input Validation: Whitelist allowed characters and formats
Escape Special Characters: Escape SQL special characters in input
Least Privilege: Use database accounts with minimal permissions
ORM Frameworks: Use Object-Relational Mapping tools
WAF: Deploy Web Application Firewall
Error Messages: Don't expose database errors to users

🔍 Detection Tips

Look for special characters in input fields: ' " ; -- /* */
Test with boolean-based payloads: ' OR '1'='1
Try comment characters: -- # /* */
Use time-based payloads: ' OR SLEEP(5)--
Monitor database error messages
Use automated scanners (sqlmap, etc.)

💾 SQL Injection Simulator

Learn SQL Injection Safely