Interactive Web Security Lab

SQL Injection

Learn how SQL injection works by searching a simulated Pokémon database, testing malicious input, and seeing how the application response changes when a query is vulnerable.

Concept

What is SQL injection?

The weakness

SQL injection happens when user input is treated as part of a database query instead of plain text.

The attacker goal

The attacker tries to change the query logic to return data they should not be able to access.

The defender goal

Security teams look for suspicious query patterns and turn them into structured alerts.

Database Context

The Table You Are Querying

Pokémon 
---------------------------------------------------------
pokedex_number | name | type_1 | type_2 | base_stat_total

Normal searches should return Pokémon records. SQL injection-style input will simulate what could happen if the application built unsafe SQL queries.

Hands-On Lab

Search the Pokémon Database

GET

/search?q=<user_input>

Try a normal query first, such as Pikachu, Water, or Dragon. Then test a SQL injection payload and compare the application response.

Application Response

Submit a query to see the simulated SQL output.

Generated Telemetry

No event generated yet.

Payload Testing

Queries To Try

Normal Pikachu

Returns rows where the Pokémon name matches the search term.

Normal Water

Returns Pokémon where type_1 or type_2 matches Water.

High ' OR '1'='1

Simulates a tautology attack where the WHERE clause becomes true.

High ' UNION SELECT username, password_hash FROM admin_users--

Simulates pulling data from a table the user should not access.

High Pikachu'; DROP TABLE pokemon;

Simulates a stacked query attempt.

Security Telemetry

What Defenders Would Log


{
  "timestamp": "2026-05-01T22:45:12Z",
  "source_ip": "client_side_demo",
  "username": "guest",
  "event_type": "sql_injection_attempt",
  "route": "/search",
  "http_method": "GET",
  "payload": "' OR '1'='1",
  "result_count": 1028,
  "severity": "high",
  "mitre_attack": "T1190",
  "status": "exploited",
  "detection_reason": "SQL tautology pattern"
}

Click a field

Select a field in the JSON log to learn what it means and why it matters in a security context.

Defensive Takeaway

How This Should Be Prevented

Use parameterized queries

User input should be passed as data, not directly inserted into SQL strings.

Validate input

Applications should reject unexpected patterns and enforce safe input formats.

Monitor behavior

Logs should capture suspicious payloads, affected routes, source details, and detection reasoning.