Sleep(5)# | {keyword});select

Filter out characters like ; , - , and # that are commonly used in injection attacks.

: This is a comment character in MySQL. It tells the database to ignore everything that follows, preventing "syntax errors" from the original code that would otherwise break the hack. {KEYWORD});SELECT SLEEP(5)#

In many attacks, the database doesn't "talk back" to the user with error messages. This is called Blind SQLi . Hackers use the SLEEP command as a "sonar" pulse: The Request: The attacker sends the payload. Filter out characters like ; , - ,

The site is vulnerable, and they can now begin extracting data bit by bit based on response times. In many attacks, the database doesn't "talk back"

If the site hangs for 5 seconds, the attacker knows the database executed their code.

Never concatenate user input directly into queries. Use parameterized queries so the database treats input as data, not code.

Understanding how these payloads work is the first step toward building a more secure web. Have you seen these patterns in your server logs lately? Let’s talk about it in the comments.