SQL Injection Attacks

1
SQL Injection Attacks
2
Table of Contents

• Database
• SQL
• RDBMS
• Uses of SQL
• Applications of SQL

• SQL Commands
• SQL Injection
• SQL Injections Categories
• SQL Injection Attacks Impact
• Examples of SQL Injection

3
DATABASE

• Any structured information or data that is in the
  form of an organized collection and typically
  stored electronically is referred to as a
  database. A database management system (DBMS)
  usually controls a database. The data and the
  database management system along with the
  associated applications are known as the database
  system. Data that is in most of the databases is
  modelled in such a way that makes it easy to
  process and renders data querying efficient.
• The data in a database can be accessed, managed,
  modified, updated, controlled and organized
  easily and efficiently. SQL (Structured Query
  Language) is used by most databases for the
  purpose of writing and querying data.
• To digress, data of websites are stored on the
  web servers of web hosting companies. The best
  web hosts are often referred to as the Best
  Windows Hosting Company or as the Best Linux
  Hosting Company or as the Top Cloud Hosting
  Company.

4
SQL

• YELLOW
• SQL is the abbreviation for Structured Query
  Language. Almost all the relational databases
  use the programming language, SQL, for querying,
  manipulating as well as defining data and
  providing access control. Despite being an
  ANSI/ISO standard, there are various versions of
  the SQL language.

5

RDBMS

• RDBMS is the abbreviation for Relational Database
  Management System. It is a database in which data
  is stored in tables, so that the data can be used
  in relation to other stored datasets. Most of the
  databases that are used by businesses are
  relational databases. RDBMS serves as the basis
  for SQL as well as for all modern database
  systems.

6
Uses of SQL

• The uses of SQL are mentioned below. These uses
  shed light on the operations that are performed
  with regard to a database.
• A new database can be created with SQL
• New data can be inserted in the database
• Previous data can be modified or updated
• Data can be retrieved from the database
• Data can be deleted
• A new table can be created in one database and it
  can be dropped as well
• Permissions can be set for table, procedures and
  views
• Function, views and stored procedures can be
  created

7
Applications of SQL
A few of the applications of SQL are mentioned
below. SQL functions as a Data Defining Language
(DDL). Hence, it can be used to make a database
autonomously and to characterize its structure.
It is a Data Control Language (DCL) that is used
to determine the way in which an information base
can be ensured against debasement and misuse. SQL
acts as a Data Manipulation Language (DML). This
helps to keep a database that existed
previously. It is used widely as a Client or
Server language. It can be used with regard to
the three-level design that characterizes the
Internet architecture.
8
1-800-123 -8156

• Whoa! Thats a big number, arent you proud?

9
SQL Commands

• SQL commands can be divided into 3 categories
  with regard to ones work. These are mentioned
  below.
• Data Definition Language (DDL) DDL has three
  parts, which are create, alter and drop. Create
  is used to create a new object in a database.
  Alter is used for modifying objects in a
  database. Drop is used to delete an object.
• Data Manipulation Language (DML) DML has 4
  parts, which are select, insert, update and
  delete. Select is used to retrieve one or more
  data. A new record can be entered by using
  Insert. Update is used to modify a record. By
  using Delete a record can be deleted.
• Data Control Language (DCL) DCL has 2 parts,
  which are grant and revoke. Grant gives
  permission to users. Revoke is used to deny
  permission.

10
SQL Injection

• SQL injection refers to a malicious code
  injection technique in which malicious code is
  inserted in SQL statements through web page
  input. It is used for the purpose of attacking
  data-driven applications by inserting malicious
  SQL statements into an entry field for execution.
  It is used frequently as a web hacking technique.
  In it arbitrary SQL commands are inserted in the
  queries, which are made by a web application to
  its database.
•  SQL injection exploits security vulnerability
  that exists in any applications software. It is
  known to be an attack vector for websites but it
  can be used to attack SQL database of any type.
  With the aid of SQL injection attackers can spoof
  identity as well as tamper with existing data. It
  can be used to cause repudiation issues.

11
SQL Injections Categories

• There are 3 major categories of SQL injections
  which are mentioned below.
• In-band SQLi- It takes place when an attacker
  uses a single communication channel to launch an
  attack and gather results.
• Inferential SQLi- In it an attacker can
  reconstruct the database structure. This is done
  by sending payloads, observing the response of
  the web application and the database servers
  resulting behavior.
• Out-of-band SQLi- It occurs in the event that an
  attacker is unable to make use of the same
  channel for launching an attack and gathering the
  results.

12
SQL Injection Attacks Impact

• An SQL injection attack that is successful leads
  to the following-
• Unauthorized access to sensitive data
• Damage to reputation
• Regulatory fines

13
Examples of SQL Injection

• The most common examples of SQL injection are
  mentioned below.
• Retrieving hidden data- In it an SQL query can be
  modified to return additional results.
• Subverting application logic- In it a query can
  be changed to interfere with the application's
  logic.
• UNION attacks- It retrieves data from various
  database tables.
• Examining the database- Information related to
  the version and structure of a database can be
  extracted.
• Blind SQL injection- In it the results of a query
  that is being controlled, are not returned in the
  responses of the application.

14
Thanks!

• ANY QUESTIONS?

• You can find me at
• www.htshosting.org
• 
  support_at_htshosting.org