Problem Statement
Walk through a safe, step-by-step method to test for SQL Injection on a single parameter.
Explanation
First, pick a harmless, non-destructive endpoint and make sure testing is in scope. Start with simple input toggles to look for syntax errors or behavior changes. Try changing quotes, numbers, or order by clauses to see if the response shifts in a way that hints at database parsing.
If the app looks injectable, switch to parameterized payloads that do not damage data, like boolean conditions or time delays. Watch status codes, response size, and timing. Stop if you see instability. Finally, recommend parameterized queries and least privilege. OWASP’s WSTG has a clear checklist for this workflow.
Code Solution
SolutionRead Only
id=1' OR '1'='1 id=1 ORDER BY 5-- id=1 AND SLEEP(2)
