On this page is an interactive demonstration of what you can do with SQL injection. Due to security concerns on our own server, this is using a Javascript implementation of a SQL server called TrimQuery, it has a few limitations and you can't try out the tricks using commenting. As such, we recommend you set up your own local server and try it there - there are plenty of videos and demos online to get you going.
Below, there's a username box together with the associated output by typing the query you do. None of it is escaped, so you can do as you please. Just remember, commenting isn't supported by this parser. The query that we'll assume to make is as follows:
SELECT * FROM users WHERE users.username = '<your text here>'
Just as info to help you, there is only one table in the database. It's named users and has been filled with some sample data. The table schema is as follows:
Some examples to start you off are as follows:
Output: