Input a single quote ( ' ). If the application returns a database error or behaves unexpectedly, it confirms the input is being processed by the database engine.
No — quotes still needed for the '1'='1' . Better: sql+injection+challenge+5+security+shepherd+new
/ prepared statements – the #1 defense. Input a single quote ( ' )