Your SQLi cheatsheet is lying to you
Quote context, DBMS dialect, and WAF normalization kill copy-paste payloads. How the crafter recipe flow maps to real injection testing.
Last engagement, someone dropped ' OR 1=1-- into ?id=42. Numeric parameter. Integer cast on the server. Both requests returned the same JSON. Finding closed as "not vulnerable."
The sink was injectable two parameters over, in a cookie the scanner never touched.
Cheatsheets do not fail because the payloads are wrong. They fail because they skip the boring parts: where your input lands in the query, what engine parses it, whether a WAF normalizes spaces before concatenation happens.
The homepage is a recipe, not a dump
The SQLi Payload Crafter main view walks through the same order I use on a real test.
Detection first. Prove the parameter talks to SQL before you spray UNION.
Fingerprint next. Lock MySQL vs Postgres vs SQL Server before you copy dialect-specific strings.
Exploitation when you have a signal: reflective UNION, error leakage, boolean diff, time delay, auth bypass, stacked queries if the stack allows it.
Enumeration only when scope says schema work is fair game.
Bypass when a clean payload dies with 403 or a vendor block page, not because you are impatient.
Each step shows what to send, what to look for in the response, and where to pivot when the obvious path stalls. Sidebar still holds DBMS, quote context, UNION column count, sleep seconds, WAF transforms. The recipe is the spine.
Detection before extraction
Everyone wants UNION on pass two. On a client network that is how you get a Friday call from their SOC.
Syntax breaks that return mysqli or syntax error near tell you more than blind OR 1=1 on a field that never reaches a string context. Numeric sinks want AND 1=1 without a leading quote. JSON bodies sometimes need double-quote closure. Match the raw request, not the last engagement that happened to be PHP and MySQL.
Boolean pairs (AND 1=1 vs AND 1=2) are quiet. Often enough for the report when full exfil is out of scope.
WAF transforms are a scalpel
Tab whitespace, inline comments, mixed case: useful when baseline strings die at the edge. They also make response diffing miserable. I leave transforms off until a clean payload fails, then enable one at a time and note which mutation actually changed behavior.
If nothing moves after comment splitting and double URL encoding, you might be hitting prepared statements. No transform fixes bound parameters.
What this series covers
These posts are the judgment layer behind the generated strings. DBMS detection before you lock the dropdown. UNION workflow when output reflects. WAF bypass when you have evidence of filtering. Blind and time-based when the page gives you almost nothing back.
Use the crafter for speed. Use the guides so you do not ship a thousand SLEEP(5) probes because sqlmap defaults felt convenient.
FAQ
- Is this tool for attacking live websites?
- Only on targets you own or have written permission to test. The crafter outputs strings. Authorization, rate limits, and whatever hits the SIEM are still on you.
- Which databases does the crafter support?
- MySQL/MariaDB, SQL Server, PostgreSQL, Oracle, and SQLite. Comment syntax, concatenation, and version functions are not interchangeable. Set the engine before you copy.
- Where do the payload patterns come from?
- PayloadsAllTheThings SQL Injection, adapted per DBMS, injection context, and optional WAF transforms. Starting point, not a guarantee.