Thilan Dissanayaka Application Security Apr 26

SQL injection login bypass

SQL Injection (SQLi) is one of the oldest and most fundamental web application vulnerabilities. While it’s becoming rarer in modern web apps due to better coding practices and frameworks, understanding SQL injection is crucial for any beginner learning web application security.

This document will explore what SQL Injection is, how it works under the hood, and how an attacker can exploit it, using a classic login bypass as an example.

What is SQL?

SQL (Structured Query Language) is the standard language used to interact with databases. It allows you to:

Create, modify, and delete tables

Insert, fetch, update, and delete data

Handle user authentication, session management, and more

In most web applications, SQL queries are used to validate user credentials during login.

Let's start with a simple login page:

https://res.cloudinary.com/dxawocmqk/image/upload/v1745668890/hacksland/lunhsery8pnt43x7qoou.png

When a user submits the form, the web application internally checks wether a user exists or not in the database acording to the given details.

Imagine user entered the username as admin and password as p@ssword. Then the query might be a something like bellow.

"Do we have a user with username 'admin' and password 'p@ssword'?"

If the database finds a matching record, the user will be authenticated. Otherwise an error will be thrown.

To understand the SQL Injection we need to see how web application do this process under the hood. Here is a simplified version of the web application backend code.

<?php
 $username = $_POST['username'];
 $password = $_POST['password'];

 $query = "SELECT username, password FROM users WHERE username='$username' AND 
          password='$password' LIMIT 0,1";

$result = mysql_query($query);
$rows = mysql_fetch_array($result);

if ($rows) {
    echo "Login successful";
    create_session();
} else {
    echo "Login data invalid";
}
?>

What's happening here?

It reads username and password from the POST request.

It directly injects user input into an SQL query without validation or escaping.

It executes the query and checks if any rows were returned.

Here’s the structure of the SQL query:

SELECT username, password FROM users WHERE username='$username' AND password='$password' LIMIT 0,1;

Problem: Because user input is directly inserted into the SQL statement, an attacker can inject SQL code to manipulate the query.

Introduction to Fuzzing

Fuzzing is the process of feeding unexpected, random, or malicious input into a web application to find vulnerabilities.

In SQL Injection, a common fuzzing technique is to insert special characters like:

  • ' (single quote)

  • " (double quote)

  • ; (semicolon)

These characters can break SQL queries if the application isn’t properly sanitizing input.

Example: Breaking the Query Imagine you enter the following credentials:

Username: user

Password: pass'

Notice the single quote after pass.

The resulting SQL query becomes:

SELECT username, password FROM users WHERE username='user' AND password='pass'' LIMIT 0,1;

This introduces a syntax error because of the extra '.

The database throws an error:

"You have an error in your SQL syntax..."

Why? Let’s analyze:

The query expects properly closed strings like password = 'pass'.

But now it sees password='pass'', which confuses the SQL parser.

When an input breaks the SQL query, it’s often a hint that SQL Injection is possible!

Bypassing Authentication with SQL Injection

Our goal isn't just to break the query — we want to bypass login.

Let's inject a payload like:

test' OR 1=1 --

Entering this as the password, the resulting query becomes:

SELECT username, password FROM users WHERE username='user' AND password='test' OR 1=1 --' LIMIT 0,1;

Understanding This Payload 'test' is the injected password.

OR 1=1 is a logic bomb. 1=1 is always true.

-- is an SQL comment marker that tells the SQL engine to ignore the rest of the line.

Thus, the query effectively becomes:

SELECT username, password FROM users WHERE username='user' AND (password='test' OR 1=1);

Because 1=1 is always true, the password check is bypassed, and the login succeeds!

Bypassing Without Knowing the Username What if you don't even know the username?

Simple — modify the username field too:

Username: user' OR 1=1 --

Password: anything

Resulting query:

SELECT username, password FROM users WHERE username='user' OR 1=1 --' AND password='anything' LIMIT 0,1;

Here’s what happens:

username='user' OR 1=1 will always return true because of OR 1=1.

-- comments out the password check and the LIMIT clause.

Login bypass achieved!

Why Does SQL Injection Work Here? User input is directly embedded into the SQL query.

No validation or escaping of special characters (', ", --).

The attacker uses Boolean logic (OR 1=1) to bypass authentication.

SQL comments (--) are used to ignore the rest of the query.

Even though modern frameworks have better defenses (like prepared statements and ORM layers), SQL Injection remains a critical concept to understand for:

Web application penetration testing

Secure coding practices

Building a security-first mindset

Always sanitize, validate, and use parameterized queries when handling user input!

ALSO READ
Template Pattern explained simply
Apr 26 Software Architecture
Template Pattern explained simply

Ever found yourself writing similar logic over and over, only to change a few steps each time? That’s exactly what the **Template Pattern** helps you solve. The **Template Pattern** is a....

Reverse TCP shell with Metasploit
Mar 23 Penetration Testing
Reverse TCP shell with Metasploit

Metasploit is a powerful penetration testing framework that automates exploit development, generates shellcode, and acts as a listener for incoming connections. This tutorial introduces how to create....

OAuth: The Secret Behind
May 17 Application Security
OAuth: The Secret Behind "Sign in with Google"

Ever clicked that handy "Sign in with Google" button instead of creating yet another username and password? You're not alone! Behind that convenient button lies a powerful technology called OAuth....

Understanding Assembly Language: Purpose and Structure
Mar 23 Low level Development
Understanding Assembly Language: Purpose and Structure

Assembly language is a low-level programming language that provides a human-readable representation of a computer's binary instructions. Unlike high-level languages like C, C++, or Python, which are....

ACID Properties in Databases: The Key to Reliable Transactions
Apr 25 Database Systems
ACID Properties in Databases: The Key to Reliable Transactions

When working with databases, one thing is absolutely critical: keeping your data safe, consistent, and reliable. That's where ACID properties come in — a set of principles that ensure every....

Kafka - Interview preparation guide
Jan 28 Interview Guides
Kafka - Interview preparation guide

## What is Apache Kafka? Apache Kafka is a distributed event streaming platform designed for high-throughput, fault-tolerant, and real-time data streaming. It is used for building real-time data....

ABOUT

Dive deep into the fascinating world of cybersecurity — where knowledge is power, and every byte matters.

Explore expertly written articles on system exploitation, web application hacking, exploit development, malware analysis, cryptography, and more.

CATEGORIES