But the app responds with an error:
Replace every space with /**/ .
A database error or a change in the page's output confirms the parameter is vulnerable. sql+injection+challenge+5+security+shepherd+new
The flag is likely in a column named password , token , or flag . Payload: 1'/**/aNd/**/(SeLeCt/**/count(flag)/**/FrOm/**/users)/**/>/**/0-- - But the app responds with an error: Replace
Most Security Shepherd SQL challenges use double quotes ( " ) or single quotes ( ' ) for string encapsulation. Try entering a single quote ' in the coupon field. sql+injection+challenge+5+security+shepherd+new