SQL Injection
A 20-lesson hands-on course on the most prevalent web vulnerability. Each lesson includes a live, interactive sandbox and a step-by-step diagram you can break.
Curriculum
20 parts in 5 phasesSQL Injection: Fundamentals
How a 50-year-old vulnerability still tops the OWASP Top 10. Hands-on demo of the classic login bypass.
SQL Injection: How databases work
Tables, rows, the parser, the planner, the executor - what actually happens between SELECT and the result. The mental model every later lesson builds on.
SQL Injection: Why it's possible
The exact mechanism - why a string from a stranger gets treated as code by your database. The conceptual leap that turns login bypass from magic into a logical consequence.
SQL Injection: Authentication bypass
Skip the login form entirely. How a single apostrophe turns "wrong password" into "welcome, admin" - and why the cascade is worse than the bypass itself.
SQL Injection: Comment injection
The 5-character lever that disables every WHERE clause after your input. Why -- and /**/ are the first thing to try on a vulnerable endpoint.
SQL Injection: UNION-based extraction
Exfiltrate the entire database one column at a time with UNION SELECT. Discover the column count, align the types, dump whole tables.
SQL Injection: Error-based extraction
The database wants to tell you the answer - let it. CAST, EXTRACTVALUE, and the verbose error messages that print schema and data right onto the page.
SQL Injection: Blind injection overview
No errors, no output, no problem - but only if you can see the side channel. The taxonomy of response body, status, and time oracles.
SQL Injection: Boolean-based blind
The slow, methodical cousin of UNION. One yes-or-no per request, characters extracted one bit at a time. The technique you fall back to when nothing else works.
SQL Injection: Time-based blind
When the page gives you nothing - no error, no length delta, no status change - the database clock does. SLEEP(5) and WAITFOR DELAY as the only oracle.
SQL Injection: Database enumeration
You have one query. Map the entire database - tables, columns, types, row counts - before you start pulling data.
SQL Injection: Extracting data
The full kill chain - from one vulnerable endpoint to the complete contents of the most sensitive table. LIMIT, OFFSET, batching, and how attackers think about throughput.
SQL Injection: Finding it in the wild
Where does SQLi actually live? Search fields, sort columns, JSON path filters, ORM raw() leaks. How a hunter thinks, not how a CTF player thinks.
SQL Injection: Secure coding practices
The defensive mindset. Whitelisting, least-privilege database users, never trusting client-supplied identifiers, and the human review checklist that catches what tools miss.
SQL Injection: Prepared statements
The one defense that actually works. What "prepared" means at the wire protocol level, why the database is the only thing you can trust, and the 5 lines that close the door.
SQL Injection: ORM security
ORMs help. They also leak. The raw() method, the extra() method, the whereRaw() - every ORM has a footgun and you will use all of them eventually.
SQL Injection: WAF & detection
Comments, case alternation, encoding, double-encoding. The trickster's toolbox for stubborn filters - and why the WAF is the doorbell, not the door.
SQL Injection: Real-world case studies
Heartland, TalkTalk, Equifax, HBGary, 7-Eleven. The actual payloads, the actual root causes, the actual post-mortems. What these incidents share.
SQL Injection: Modern challenges
GraphQL, JSON path injection, second-order attacks, mass-assignment, serverless functions, and the cloud-managed databases that ship with their own surprises.
SQL Injection: Review & practice
A curated set of progressively harder challenges against fresh endpoints. No hand-holding. The course final.