SQLi Payload Crafter

Step-by-step injection playbook — authorized testing only

Blog
DBMS MySQL / MariaDB·Context single-quote string·Techniques 7 enabled
27 total payloads

Step 1Detection

Confirm the parameter reaches SQL

Start with a syntax break, then boolean pairs. One signal is enough to move on.

What to look for

  • HTTP status, body length, or error text changes between true and false probes
  • SQL syntax error in the response after a quote or parenthesis break
  • Numeric parameters: skip the quote and test with AND 1=1 vs AND 1=2

If this fails

Payloads to send

7 in this step