EncryptCodecencryptcodec
Simulations/SQL Injection

SQL Injection

Beginner

This login form is intentionally vulnerable. Use it to bypass authentication, target specific accounts, and extract the entire database — then learn exactly why it works and how to fix it.

Progress:
1
Any Access
2
Target Admin
3
Dump the Database
shopco.io/admin/login

Admin Login

What the database sees
SELECT * FROM users WHERE username = 'username' AND password = 'password'

Challenges

1
Any Access
Log in as any user without knowing a valid password.
hints
2
Target Admin
Log in specifically as admin without knowing their password.
hints
3
Dump the Database
Extract every row from the users table in one query.
hints
How to fix SQL injection
Parameterized queries eliminate the entire attack surface

Frequently Asked Questions