Skip to content
A simple PHP application to learn SQL Injection detection and exploitation techniques.
Branch: master
Clone or download
Latest commit 5362776 Jun 4, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
udf Adding UDF so file May 12, 2019
www added support for multi line queries for udf example May 15, 2019
Dockerfile Adding docker files May 12, 2019
LICENSE Added license Jun 4, 2019 Removed to do as completed Jun 4, 2019
docker-compose.yml Fixed docker compose syntax May 14, 2019 added os interaction sql queries May 15, 2019

Simple SQL Injection Training App


This is an extremely vulnerable application. Please do not deploy in production or host it on the Internet. You are responsible for this application and what you do with it.

This is a simple PHP application with multiple pages to demonstrate and learn SQL Injection.

The PHP code is extremely primitive but clearly demonstrates the vulnerability and can be used to teach the various kinds of SQL injection in a hands-on class.


  • docker
  • docker-compose


  • Clone this repository
  • Run docker-compose up in the root of the repo where the docker-compose.yml file is present
  • Go to to create the database and tables within the application.

DB variables

If you wish to change the password of the root user when starting the containers, then the following files need to be updated with the new password that you choose

  • edit the value of MYSQL_ROOT_PASSWORD in docker-compose.yml
  • edit the value of $DBPASS in db_config.php
  • edit the value of $DBPASS in resetdb.php


The different inputs for each of the links can be found in

Reset DB

To reset the database, navigate to /resetdb.php

Database export

The sqlitraining.sql file contains the entire database as an export. This file can be reviewed to see what the DB looks like in terms of the tables and data within.

Get in touch!

You can’t perform that action at this time.