An SQLi attack may cause much more damage than simply showing the usernames of an application. By exploiting this kind of vulnerability, an attacker may exfiltrate all kinds of sensitive information about users, such as contact details and credit card numbers. It is also possible to compromise the whole server, and be able to execute commands and escalate privileges in it. Also, an attacker may be able to extract all the information from the database, including database and system users, passwords, and, depending on the server and internal network configuration, an SQLi vulnerability may be an entry point for a full network and internal infrastructure compromise.