Expected Findings
- User input is interpolated directly into the SQL string.
- Quote-comment payloads return every row in the users table.
- Error responses echo the raw SQL back to the client.
Search Page
Raw SQL Injection
The user search builds SQL by string concatenation, so quote-and-comment payloads dump every row in the table.
Lookup
Primary Flows
- Boolean injection Classic OR 1=1
- Union dump Cross-table dump
- Error reflection Echoes SQL error
Signals
Query
q := "SELECT * FROM users WHERE username = '" + req.username + "'"