The Art of War Meets SQL Injection

Sun Tzu sounds insufferable until you realize “know your enemy and know yourself” is just a precise description of what happens when you point a web app at a login form and start asking it rude questions.

SQL injection is the oldest, most famous, and most quietly terrifying class of web bug there is, and it is still worth keeping sharp on, because the shape of it shows up everywhere. PortSwigger’s Web Security Academy is the best place to do that: free, official, and the actual course pretending to be a pile of labs.

Here is the whole idea, stripped of mystique. An application takes your input and builds a database query out of it, like gluing two strips of paper together. If the developer trusted your input and glued it in raw, you can write input that stops being data and starts being instructions. You type ' OR 1=1 -- into a field expecting a username, and the query is no longer asking “is this a valid user” but “is one equal to one,” which, last I checked, it always is.

The Art of War part is this: the attack does not beat the system by being stronger. It beats it by understanding the system better than the system understands itself. The login form thinks it is asking a question. You know it is executing a sentence. That gap, between what the developer believes the code does and what the code actually does, is where every web vulnerability lives.

The discipline never moves, by the way. SQL injection against something you do not own and that has no bug bounty program is not research, it is a crime with extra steps. So this stays on DVWA, Juice Shop, and the deliberately vulnerable labs, where the only thing breaking is something built to be broken.

Know the enemy. The enemy is a string that should have been a parameter.