# SQL injection

<https://portswigger.net/web-security/sql-injection>

db cheatsheet: <https://portswigger.net/web-security/sql-injection/cheat-sheet>

## oracle:

On Oracle databases, every `SELECT` statement must specify a table to select `FROM`. If your `UNION SELECT` attack does not query from a table, you will still need to include the `FROM` keyword followed by a valid table name.

There is a built-in table on Oracle called `dual` which you can use for this purpose. For example: `UNION SELECT 'abc' FROM dual`