SQLi occurs when the input is not validated and sanitized before it is used to form a query for the database. Let's imagine that the server-side code (in PHP) in the application composes the query as follows:

$query = "SELECT * FROM users WHERE id='".$_GET['id']. "'"; 

This means that the data sent in the id parameter will be integrated as is in the query. If we replace the parameter reference with its value, we have this:

$query = "SELECT * FROM users WHERE id='"."1". "'"; 

So, when we send a malicious input like we did, the line of code is read by the PHP interpreter as follows:

$query = "SELECT * FROM users WHERE id='"."' or '1'='1"."'"; 

And the resulting SQL sentence will look like:

$query = "SELECT * FROM users WHERE id='' or '1'='1'"; 

That means select everything from the table called users if the user id equals nothing or 1 = 1; and since one always equals one, all users are going to meet these criteria. The first apostrophe we send closes the one opened in the original code. After that, we can introduce some SQL code, and the last one without a closing apostrophe uses the one already set in the server's code.

This is called error-based SQLi, and is the most basic form of SQLi because we use error messages to figure out whether we have formed a valid query with our injection, and the results are displayed directly in the application's output.