Bypass Logins Using SQL Injection

May 27, 2018 | Views: 35480

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Dear Cybrarians,

I’m going to explain how to bypass login of a website and how it works using SQL injection. I hope you all have a basic understanding of database and SQL queries.

So, it starts now. Whenever we visit a website, there are options for logging in or signing up. If you are already a user of a website, you have to log in with your valid credentials. If the given credentials are wrong, then
you can’t access your account. Users of a website may be admin or casual users.

Suppose the email field is not validated. Now, we pass some random input,
email: bdhbhdm and password: 123456. But the page displays a wrong username or password error message.

The original query of the above login form is as follows:

SELECT id FROM users WHERE username=’ ‘ and password=’ ‘

so it becomes,

SELECT id FROM users WHERE username=’bdhbhdm ‘ and password=’123456’

The query runs in the database to check whether the username and password are valid. If the credentials are correct, then the query retrieves the particular account. Otherwise, it displays an error message.

Enroll TODAY to start learning Cyber Security with these FREE Courses:

We can use SQL injection to bypass the login and get access. Here, we use the inputs

1. username:1′ or ‘1’=’1 and password: 1′ or ‘1’=’1

So the query becomes,

SELECT id FROM users WHERE username=’1′ or ‘1’=’1 ‘ and password=’1’ or ‘1’=’1 ‘

Since the conditions 1 and 1=1 are always true, access will be granted to the attacker. The position of apostrophes in the input is important.

2. username: admin’– and password: anything

In this case, the query becomes,

SELECT id FROM users WHERE username=’admin ‘ — and password=’xxxxx ‘

The two dash characters (–) ignore the part after its position. So the query only checks the username, and the attacker will gain access to the admin account.


  1. This type of attack can be defeated by validating inputs in a form.
  2. The SQL injection payload works based on the type of database.
  3. Search “SQL injection cheat sheet” in Google for more payloads.
  4. You can test this attack legally on the websites below:

That’s all for now. I will be back with another helpful write-up. Thank you, and Happy Hunting!

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
1 Comment
  1. is it possible for all websites ?

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?