SQL injection attack occurs through the insertion and execution of malicious SQL statements into the entry field of data-driven applications. It exploits security related vulnerabilities in the software of an application
2. Table of Contents
2
Database
SQL
RDBMS
Uses of SQL
Applications of SQL
SQL Commands
SQL Injection
SQL Injection’s Categories
SQL Injection Attack’s Impact
Examples of SQL Injection
3. Any structured information or data that is in the form of an organized collection and typically
stored electronically is referred to as a database. A database management system (DBMS)
usually controls a database. The data and the database management system along with the
associated applications are known as the database system. Data that is in most of the
databases is modelled in such a way that makes it easy to process and renders data
querying efficient.
The data in a database can be accessed, managed, modified, updated, controlled and
organized easily and efficiently. SQL (Structured Query Language) is used by most
databases for the purpose of writing and querying data.
To digress, data of websites are stored on the web servers of web hosting companies. The
best web hosts are often referred to as the “Best Windows Hosting Company” or as the “Best
Linux Hosting Company” or as the “Top Cloud Hosting Company”.
3
DATABASE
4. YELLOW
SQL is the abbreviation for Structured Query Language. Almost all the relational databases use the
programming language, SQL, for querying, manipulating as well as defining data and providing access control.
Despite being an ANSI/ISO standard, there are various versions of the SQL language.
SQL
4
5. RDBMS
RDBMS is the abbreviation for Relational Database Management System. It is a
database in which data is stored in tables, so that the data can be used in relation
to other stored datasets. Most of the databases that are used by businesses are
relational databases. RDBMS serves as the basis for SQL as well as for all modern
database systems.
5
6. The uses of SQL are mentioned below. These uses shed light on the operations that are performed with
regard to a database.
A new database can be created with SQL
New data can be inserted in the database
Previous data can be modified or updated
Data can be retrieved from the database
Data can be deleted
A new table can be created in one database and it can be dropped as well
Permissions can be set for table, procedures and views
Function, views and stored procedures can be created
6
Uses of SQL
7. Applications of SQL
7
A few of the applications of SQL are mentioned below.
SQL functions as a Data Defining Language (DDL). Hence, it can be used to make a database
autonomously and to characterize its structure. It is a Data Control Language (DCL) that is used to
determine the way in which an information base can be ensured against debasement and misuse.
SQL acts as a Data Manipulation Language (DML). This helps to keep a database that existed previously.
It is used widely as a Client or Server language. It can be used with regard to the three-level design that
characterizes the Internet architecture.
9. SQL commands can be divided into 3 categories with regard to one’s work. These are mentioned below.
Data Definition Language (DDL): DDL has three parts, which are create, alter and drop. Create is used to
create a new object in a database. Alter is used for modifying objects in a database. Drop is used to
delete an object.
Data Manipulation Language (DML): DML has 4 parts, which are select, insert, update and delete. Select is
used to retrieve one or more data. A new record can be entered by using Insert. Update is used to modify
a record. By using Delete a record can be deleted.
Data Control Language (DCL): DCL has 2 parts, which are grant and revoke. Grant gives permission to
users. Revoke is used to deny permission.
9
SQL Commands
10. SQL injection refers to a malicious code injection technique in which malicious code is inserted in SQL
statements through web page input. It is used for the purpose of attacking data-driven applications by
inserting malicious SQL statements into an entry field for execution. It is used frequently as a web hacking
technique. In it arbitrary SQL commands are inserted in the queries, which are made by a web application
to its database.
SQL injection exploits security vulnerability that exists in any application’s software. It is known to be an
attack vector for websites but it can be used to attack SQL database of any type. With the aid of SQL
injection attackers can spoof identity as well as tamper with existing data. It can be used to cause
repudiation issues.
10
SQL Injection
11. There are 3 major categories of SQL injections which are mentioned below.
In-band SQLi- It takes place when an attacker uses a single communication channel to launch an attack and
gather results.
Inferential SQLi- In it an attacker can reconstruct the database structure. This is done by sending payloads,
observing the response of the web application and the database server’s resulting behavior.
Out-of-band SQLi- It occurs in the event that an attacker is unable to make use of the same channel for
launching an attack and gathering the results.
11
SQL Injection’s Categories
12. An SQL injection attack that is successful leads to the following-
Unauthorized access to sensitive data
Damage to reputation
Regulatory fines
12
SQL Injection Attack’s Impact
13. The most common examples of SQL injection are mentioned below.
Retrieving hidden data- In it an SQL query can be modified to return additional results.
Subverting application logic- In it a query can be changed to interfere with the application's logic.
UNION attacks- It retrieves data from various database tables.
Examining the database- Information related to the version and structure of a database can be extracted.
Blind SQL injection- In it the results of a query that is being controlled, are not returned in the responses of
the application.
13
Examples of SQL Injection