SQL-Injections💉

Mohana Vamsi - Aug 19 - - Dev Community

SQL injection is another approach used by attackers whereby they are able to insert a malicious SQL code in to the database query through input fields. This leads to unauthorized access, data modification or even control of the database in question.

### Common Methods with Examples:

  1. Tautology Attack:
  2. Example: Just like you enter your username and password to perform the login on any website. The application might run a query like:The application might run a query like: 
 Query: GET all data from the users table WHERE the username equates the value of admin AND the password equates to a password.
Enter fullscreen mode Exit fullscreen mode

An attacker could input the following into the password field:An attacker could input the following into the password field:

 ' OR '1'='1
Enter fullscreen mode Exit fullscreen mode

The query becomes:

 SELECT * FROM users WHERE username = admin AND password =  OR 1=1;
Enter fullscreen mode Exit fullscreen mode

This query is always true and will thus allow an attacker to gain access to many different systems.

  1. Union-based Attack:
  2. Example: An example of an input the attacker might enter would be: 
  UNION SELECT username, password FROM users
Enter fullscreen mode Exit fullscreen mode

If the original query was:If the original query was:

 These statements tests a basic SELECT query with includes the columns name and email and filters the contacts table by the ID which is value of 1.
Enter fullscreen mode Exit fullscreen mode

It now becomes:

 query where I will like to obtain the contacts name and email from the contact table with ID 1 while at the same time extracting the user name and password from the user table is:
Enter fullscreen mode Exit fullscreen mode

This could disclose information regarding the users table, which could be sensitive at times.

  1. Error-based Attack:
  2. Example: An attacker may enter: 
 SELECT * FROM [Table_1] WHERE price_per_dose < ‘$500<50 AND 1=CONVERT(int, (SELECT @@version))
Enter fullscreen mode Exit fullscreen mode

This might compel the database to return an error that indicates to the attacker the specific SQL server version, in which the attacker could plan for other operations.

  1. Blind SQL Injection:
  2. Example: An attacker could enter, for example, to check whether a condition is true or false: 
  OR id =   AND (SELECT CASE WHEN (username = admin) THEN 1 ELSE 0 END) = 1
Enter fullscreen mode Exit fullscreen mode

If the application reacts in any way different when this input is employed, the attacker knows that the username ‘admin’ is predefined.

Image
MySQL Challenges: Mastering Database Concepts and Skills
Image
Most Commonly Used AWS Services

cloud, aws, beginners
Image
How to Provide Storage for a Public Website in Azure
Image
PYTHON BASICS: Working with input and print functions.
Image
In-Depth Guide to Working with Strings in Rust
Image
Features and Advantages of Groovy Over Java
Image
Usando super para chamar construtores da superclasse
Image
🏗️ Monolith vs Microservices: Which Architecture is Best for Your App? 🤔
Image
Protect Your Login Security with Fingerprint

webdev, javascript, beginners, programming
Image
HD Streamz APK

hdstreamz, webdev
Image
JAVASCRIPT_MOST_CONFUSING_QUESTION
Image
A Step-by-Step Guide Selecting the right Ant exterminator in Wilton
Image
LabEx Trending: Build a Digital Clock With Python and More
Image
The Future of Local LLM Execution: Running Language Models Locally with Ollama, ONNX, and More
Image
Which Is the Best YouTube Channel for Class 10?

bestclass10channel, topyoutubeclass10, class10learningchannel, class10learningchannels
Image
Understanding Database Normalization: A Practical Guide with E-Commerce Examples
Image
Understanding Static and Dynamic Typing Through a Computer Ports Analogy

beginners, coding
Image
Practical Usecase of Python for Devops&Cloud Engineer Role

python, automation, devops, cloud
Image
Implement LLM guardrails for RAG applications
. . . . . . . . . . . . . . . . . . . . . . .
Terabox Video Player