gitwtfhub

wtf is sqli-labs?

audi-1/sqli-labs — explained in plain English

Analysis updated 2026-06-26

5,768PHPAudience · developerComplexity · 3/5Setup · moderate

TL;DR

A deliberately vulnerable PHP web application with step-by-step lessons covering every major SQL injection technique, designed for security students and developers to practice in a safe and legal local environment.

Mindmap

mindmap
  root((SQLI-LABS))
    What it does
      SQL injection practice
      Vulnerable app lessons
      Security skill building
    Injection Types
      Error-based
      Blind boolean
      Time-based blind
      Header injection
    Tech Stack
      PHP
      MySQL
      Apache
    Use Cases
      Learn SQL injection
      Practice bypasses
      Challenge lessons
    Audience
      Security students
      CTF players

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Why would anyone build with this?

REASON 1

Work through guided lessons on error-based, blind boolean, and time-based SQL injection in a local practice environment.

REASON 2

Practice bypassing common SQL injection defenses like blacklists and input sanitization in a controlled setting.

REASON 3

Attempt challenge lessons (54 onward) that test injection skills without step-by-step guidance, simulating real-world conditions.

REASON 4

Learn how SQL injection works through HTTP headers like cookies and user-agent strings, not just URL parameters.

What's in the stack?

PHPMySQLApache

How it stacks up

audi-1/sqli-labsopenai-php/clientcausefx/organizr
Stars5,7685,7785,749
LanguagePHPPHPPHP
Setup difficultymoderateeasymoderate
Complexity3/52/53/5
Audiencedeveloperdeveloperops devops

Figures from each repo's GitHub metadata at analysis time.

How do you spin it up?

Difficulty · moderate Time to first run · 30min

Requires a local Apache and MySQL stack such as XAMPP or WAMP to run the PHP application.

Wtf does this do

SQLI-LABS is a deliberately vulnerable PHP web application designed for learning how SQL injection attacks work. SQL injection is a type of security vulnerability where an attacker can insert or manipulate database commands through a web application's input fields, potentially reading, modifying, or deleting data the application stores. The project sets up a local practice environment with a series of lessons, each covering a different category of SQL injection technique. The lessons cover error-based injection (where the attacker reads data through error messages), blind boolean-based injection (where the application gives no visible feedback but the attacker can infer information by asking yes-or-no questions), and time-based blind injection (where the attacker uses deliberate delays in the database's response to extract information). Additional lessons cover injections in database update and insert operations, injections through HTTP headers like cookies and user-agent strings, second-order injections, and methods for bypassing common defenses like blacklists and input sanitization functions. Installation involves unzipping the project into an Apache web server directory, configuring the database credentials in a configuration file, and running a setup page through the browser to create the database and tables. After that, each lesson is accessible by clicking a lesson number from the index page. The repository also includes challenge lessons (from lesson 54 onward) that test the skills covered in the earlier material without providing step-by-step guidance. Video walkthroughs and written explanations for the lessons are available on separate sites linked in the README. This project is intended for security students and developers who want hands-on practice identifying and exploiting SQL injection in a controlled, legal environment.

Yoink these prompts

Prompt 1
I am working through SQLI-LABS lesson 1. Walk me through how error-based SQL injection works in this challenge and what payloads to try first.
Prompt 2
Explain how blind boolean-based SQL injection works in SQLI-LABS and show me a Python script that automates extracting the database name one character at a time.
Prompt 3
I am on a time-based blind injection challenge in SQLI-LABS. Show me how to use a SLEEP-based payload to extract data when the application gives no visible feedback.
Prompt 4
How do I set up SQLI-LABS locally on XAMPP? Walk me through unzipping, configuring the database credentials, and running the setup page.

Frequently asked questions

wtf is sqli-labs?

A deliberately vulnerable PHP web application with step-by-step lessons covering every major SQL injection technique, designed for security students and developers to practice in a safe and legal local environment.

What language is sqli-labs written in?

Mainly PHP. The stack also includes PHP, MySQL, Apache.

How hard is sqli-labs to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is sqli-labs for?

Mainly developer.

View the repo → Decode another repo

This repo across BitVibe Labs

Don't trust strangers blindly. Verify against the repo.