0
0
SQLquery~10 mins

How SQL injection exploits queries - Visual Walkthrough

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - How SQL injection exploits queries
User Input Received
Input Inserted into SQL Query
Query Sent to Database
Database Executes Query
If Input is Malicious
Yes
SQL Injection Occurs
Attacker Gains Unauthorized Access
END
No
Query Executes Normally
END
User input is added to a SQL query. If input is malicious, it changes query meaning, causing SQL injection and unauthorized access.
Execution Sample
SQL
user_input = "' OR '1'='1";
query = "SELECT * FROM users WHERE username = '" + user_input + "';";
-- Query sent to DB
-- DB executes query
This code shows how a malicious input changes a SQL query to always return true, causing SQL injection.
Execution Table
StepUser InputQuery FormedQuery MeaningResult
1' OR '1'='1SELECT * FROM users WHERE username = '' OR '1'='1';Returns all users because '1'='1' is always trueAll user records returned (SQL Injection)
2normalUserSELECT * FROM users WHERE username = 'normalUser';Returns user with username 'normalUser'Only normalUser record returned
3admin'; --SELECT * FROM users WHERE username = 'admin'; --Comments out rest, returns admin userAdmin user record returned (SQL Injection)
4SELECT * FROM users WHERE username = '';Returns no user (empty username)No records returned
5user123SELECT * FROM users WHERE username = 'user123';Returns user with username 'user123'User123 record returned
6Execution ends
💡 Execution stops after query is sent and database returns results.
Variable Tracker
VariableStartAfter 1After 2After 3After 4After 5Final
user_inputnull' OR '1'='1normalUseradmin'; --user123user123
querynullSELECT * FROM users WHERE username = '' OR '1'='1';SELECT * FROM users WHERE username = 'normalUser';SELECT * FROM users WHERE username = 'admin'; --SELECT * FROM users WHERE username = '';SELECT * FROM users WHERE username = 'user123';SELECT * FROM users WHERE username = 'user123';
Key Moments - 3 Insights
Why does the query return all users when input is "' OR '1'='1"?
Because the input closes the username string and adds OR '1'='1', which is always true, so the WHERE clause matches all rows (see execution_table step 1).
How does the input "admin'; --" change the query?
It closes the username string and adds a comment marker -- which ignores the rest of the query, effectively returning the admin user (see execution_table step 3).
Why does an empty input return no records?
Because the query becomes WHERE username = '', which matches no user (see execution_table step 4).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 1, what does the query return?
ANo records
BAll user records
COnly admin user
DSyntax error
💡 Hint
Check the 'Result' column at step 1 in execution_table.
At which step does the input use SQL comment to change the query?
AStep 3
BStep 2
CStep 4
DStep 5
💡 Hint
Look for input containing '--' in execution_table.
If user_input is empty, what is the query result?
AReturns all users
BReturns admin user
CReturns no users
DCauses error
💡 Hint
See execution_table step 4 for empty input.
Concept Snapshot
SQL injection happens when user input is added directly to a query.
Malicious input can change query logic.
Example: input "' OR '1'='1" makes WHERE always true.
This returns all rows, bypassing security.
Always use parameterized queries to prevent injection.
Full Transcript
This visual execution shows how SQL injection exploits queries by inserting malicious user input. The input is added directly into the SQL query string. For example, input like "' OR '1'='1" changes the WHERE clause to always be true, returning all user records. Another input "admin'; --" uses SQL comment to ignore the rest of the query and return the admin user. Empty input returns no records. The execution table traces each step showing user input, formed query, meaning, and result. Variable tracker shows how user_input and query change each step. Key moments explain why certain inputs cause injection. The quiz tests understanding of these steps. The snapshot reminds to use parameterized queries to avoid this risk.