whatisgithub

What is sqli-labs?

audi-1/sqli-labs — explained in plain English

Analysis updated 2026-06-26

5,768PHPAudience · developerComplexity · 3/5Setup · moderate

In one sentence

A deliberately vulnerable PHP web application with step-by-step lessons covering every major SQL injection technique, designed for security students and developers to practice in a safe and legal local environment.

Mindmap

mindmap
  root((SQLI-LABS))
    What it does
      SQL injection practice
      Vulnerable app lessons
      Security skill building
    Injection Types
      Error-based
      Blind boolean
      Time-based blind
      Header injection
    Tech Stack
      PHP
      MySQL
      Apache
    Use Cases
      Learn SQL injection
      Practice bypasses
      Challenge lessons
    Audience
      Security students
      CTF players
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Work through guided lessons on error-based, blind boolean, and time-based SQL injection in a local practice environment.

USE CASE 2

Practice bypassing common SQL injection defenses like blacklists and input sanitization in a controlled setting.

USE CASE 3

Attempt challenge lessons (54 onward) that test injection skills without step-by-step guidance, simulating real-world conditions.

USE CASE 4

Learn how SQL injection works through HTTP headers like cookies and user-agent strings, not just URL parameters.

What is it built with?

PHPMySQLApache

How does it compare?

audi-1/sqli-labsopenai-php/clientcausefx/organizr
Stars5,7685,7785,749
LanguagePHPPHPPHP
Setup difficultymoderateeasymoderate
Complexity3/52/53/5
Audiencedeveloperdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires a local Apache and MySQL stack such as XAMPP or WAMP to run the PHP application.

So what is it?

SQLI-LABS is a deliberately vulnerable PHP web application designed for learning how SQL injection attacks work. SQL injection is a type of security vulnerability where an attacker can insert or manipulate database commands through a web application's input fields, potentially reading, modifying, or deleting data the application stores. The project sets up a local practice environment with a series of lessons, each covering a different category of SQL injection technique. The lessons cover error-based injection (where the attacker reads data through error messages), blind boolean-based injection (where the application gives no visible feedback but the attacker can infer information by asking yes-or-no questions), and time-based blind injection (where the attacker uses deliberate delays in the database's response to extract information). Additional lessons cover injections in database update and insert operations, injections through HTTP headers like cookies and user-agent strings, second-order injections, and methods for bypassing common defenses like blacklists and input sanitization functions. Installation involves unzipping the project into an Apache web server directory, configuring the database credentials in a configuration file, and running a setup page through the browser to create the database and tables. After that, each lesson is accessible by clicking a lesson number from the index page. The repository also includes challenge lessons (from lesson 54 onward) that test the skills covered in the earlier material without providing step-by-step guidance. Video walkthroughs and written explanations for the lessons are available on separate sites linked in the README. This project is intended for security students and developers who want hands-on practice identifying and exploiting SQL injection in a controlled, legal environment.

Copy-paste prompts

Prompt 1
I am working through SQLI-LABS lesson 1. Walk me through how error-based SQL injection works in this challenge and what payloads to try first.
Prompt 2
Explain how blind boolean-based SQL injection works in SQLI-LABS and show me a Python script that automates extracting the database name one character at a time.
Prompt 3
I am on a time-based blind injection challenge in SQLI-LABS. Show me how to use a SLEEP-based payload to extract data when the application gives no visible feedback.
Prompt 4
How do I set up SQLI-LABS locally on XAMPP? Walk me through unzipping, configuring the database credentials, and running the setup page.

Frequently asked questions

What is sqli-labs?

A deliberately vulnerable PHP web application with step-by-step lessons covering every major SQL injection technique, designed for security students and developers to practice in a safe and legal local environment.

What language is sqli-labs written in?

Mainly PHP. The stack also includes PHP, MySQL, Apache.

How hard is sqli-labs to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is sqli-labs for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.