, where you can change a query to interfere with the application's logic.

eg: application login function, user inputs username and password through UI, in the backend, the query goes like SELECT * FROM users WHERE username = '<username>' AND password = '<password>'

if the query is successful then the login will be successful.

this can by bypassed with SQL comment sequence -- to remove the password check

if username is submitted as administrator'-- and a blank password field, the query would become SELECT * FROM users WHERE username = 'administrator'--' AND password = ''

• Lab: SQL injection vulnerability allowing login bypass