: Reject any input containing special characters like ; , -- , or SELECT in fields where they don't belong.
: Find a search bar, login field, or URL parameter (e.g., ://example.com ). Inject the Payload : Replace the input with the payload. Observe the Lag : If the page loads instantly , the input is likely sanitized. {KEYWORD}');SELECT PG_SLEEP(5)--
: This closes the original SQL function and terminates the statement. : Reject any input containing special characters like
: This is the core command for PostgreSQL . It instructs the database to pause for exactly 5 seconds before responding. Observe the Lag : If the page loads
: This is the "gold standard." It treats all input as data, never as executable code.
This specific string is used to test if a database is vulnerable to "blind" attacks, where the server doesn't return data directly but its response time reveals information.
: Ensure the database user for the web app cannot execute administrative commands like PG_SLEEP .