0
0
PHPprogramming~10 mins

How SQL injection exploits unsafe queries in PHP - Visual Walkthrough

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - How SQL injection exploits unsafe queries
User Input Entered
Input Concatenated into SQL Query
Query Sent to Database
Database Executes Query
If Input Contains SQL Code
Yes
Malicious SQL Runs - Data Leaked or Modified
No
Query Runs Normally
User input is directly added to a SQL query string. If input contains SQL code, it changes the query meaning, causing harmful effects.
Execution Sample
PHP
<?php
$user = $_GET['user'];
$query = "SELECT * FROM users WHERE name = '$user'";
$result = mysqli_query($conn, $query);
?>
This PHP code builds a SQL query by inserting user input directly, which can be exploited if input is malicious.
Execution Table
StepUser InputQuery BuiltQuery Sent to DBEffect
1AliceSELECT * FROM users WHERE name = 'Alice'SELECT * FROM users WHERE name = 'Alice'Returns Alice's data
2BobSELECT * FROM users WHERE name = 'Bob'SELECT * FROM users WHERE name = 'Bob'Returns Bob's data
3' OR 1=1 --SELECT * FROM users WHERE name = '' OR 1=1 --SELECT * FROM users WHERE name = '' OR 1=1 --Returns all users (SQL Injection)
4'; DROP TABLE users; --SELECT * FROM users WHERE name = ''; DROP TABLE users; --SELECT * FROM users WHERE name = ''; DROP TABLE users; --Deletes users table (SQL Injection)
5adminSELECT * FROM users WHERE name = 'admin'SELECT * FROM users WHERE name = 'admin'Returns admin data
💡 Execution stops after query is sent; malicious input changes query meaning causing data leak or damage.
Variable Tracker
VariableStartAfter 1After 2After 3After 4After 5
usernullAliceBob' OR 1=1 --'; DROP TABLE users; --admin
querynullSELECT * FROM users WHERE name = 'Alice'SELECT * FROM users WHERE name = 'Bob'SELECT * FROM users WHERE name = '' OR 1=1 --SELECT * FROM users WHERE name = ''; DROP TABLE users; --SELECT * FROM users WHERE name = 'admin'
Key Moments - 3 Insights
Why does the query return all users when input is "' OR 1=1 --"?
Because the input closes the string and adds OR 1=1, which is always true, so the WHERE clause matches all rows (see execution_table row 3).
How can input like "'; DROP TABLE users; --" delete the table?
The input ends the first query and adds a new command to drop the table; the -- comments out the rest, so the database runs both commands (see execution_table row 4).
Why is directly inserting user input into queries unsafe?
Because malicious input can change the query structure and run harmful SQL commands, as shown in the execution_table rows 3 and 4.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the query built when user input is "Bob"?
ASELECT * FROM users WHERE name = 'Bob'
BSELECT * FROM users WHERE name = '' OR '1'='1'
CSELECT * FROM users WHERE name = 'Alice'
DSELECT * FROM users WHERE name = ''; DROP TABLE users; --
💡 Hint
Check execution_table row 2 under 'Query Built' column.
At which step does the SQL injection cause all users to be returned?
AStep 1
BStep 4
CStep 3
DStep 5
💡 Hint
Look at execution_table row 3 where the input is "' OR 1=1 --".
If the user input was sanitized to prevent quotes, how would the query change at step 3?
AIt would cause a syntax error
BIt would search for the literal string including quotes
CIt would still return all users
DIt would delete the users table
💡 Hint
Sanitizing input escapes quotes, so the input is treated as text, not SQL code (see variable_tracker for query changes).
Concept Snapshot
Unsafe SQL queries directly insert user input into query strings.
Malicious input can change query logic or add commands.
This is called SQL injection and can leak or destroy data.
Always use safe methods like prepared statements to prevent it.
Full Transcript
This example shows how unsafe SQL queries in PHP can be exploited by SQL injection. The code takes user input and inserts it directly into a SQL query string. When the input contains special SQL code like "' OR 1=1 --" or "'; DROP TABLE users; --", it changes the meaning of the query. This can cause the database to return all user data or even delete tables. The execution table traces each step: user input, the built query, and the effect. The variable tracker shows how variables change with each input. Key moments explain why certain inputs cause harmful effects. The visual quiz tests understanding by asking about specific steps and outcomes. The quick snapshot reminds that direct insertion of user input is unsafe and prepared statements should be used instead.