# SQL Injection ![[Appointment Write-up#^r4zupz]] For example, the following SQL statement (defined in php) is vulnerable to SQL injection: ```php $sql="SELECT * FROM users WHERE username='$username' AND password='$password'"; ``` If `$username` is set to `admin'#`, the second part of the query will effectively be commented out, bypassing password verification. For full example see [[Appointment Write-up]]. [[sqlmap]] can be used to automate SQL injection. ## Hack The Box Machines - [[Appointment Write-up|Appointment]] - [[Vaccine Write-up|Vaccine]]