If the input takes a string that gets inserted into a query as a string parameter, then you can easily manipulate the build query using quotation marks to form the string to your specific needs. Finding out the column names in a database. Webgoat sql injection intro 11 It’s rather like communicating with the spirit world via tapping.