All labs
Lab 48
Secure Architecture

SQL Injection — Live

Type ' OR 1=1 -- into a login box. A string-built query hands the attacker every row; a parameterized query treats it as harmless text. Watch the actual SQL the database receives in both cases.

A login form. Choose what the attacker types in the username box, toggle parameterized queries, and run it — watch the exact SQL the database receives.
Username input
SQL the database executes
SELECT * FROM users WHERE name = 'admin' --' AND pass = '•••'

Run admin' -- as a string-built query (password check vanishes), then flip to parameterized and run the same input — now it's just a username that doesn't exist.

What just happened