SQL Injection and Command Injection
Learn how attackers craft injection payloads that manipulate database queries or OS commands, and how parameterized queries and input validation prevent them.
What Is SQL Injection?
SQL injection (SQLi) occurs when an attacker inserts or 'injects' malicious SQL code into an input field that is later passed to a database query. Because the application concatenates user input directly into a SQL statement, the database cannot distinguish between legitimate data and attacker-supplied commands. SQLi consistently ranks as one of the most dangerous web vulnerabilities on the OWASP Top 10.
Classic SQLi Payload Example
A vulnerable login query might look like: SELECT * FROM users WHERE username='INPUT' AND password='INPUT'. An attacker supplying ' OR '1'='1 as the username transforms the query so the WHERE clause is always true, bypassing authentication entirely. This is the classic tautology-based injection.
-- Vulnerable query (DO NOT use in production)
SELECT * FROM users
WHERE username = '' OR '1'='1'
AND password = 'anything';
-- Returns ALL rows — auth bypassedAll lessons in this course
- SQL Injection and Command Injection
- Cross-Site Scripting (XSS) and CSRF
- Broken Authentication and Insecure Deserialization
- Secure SDLC, SAST, and DAST Tools