What is SQL Injection With Example?
Attacking database and can modify, delete data
- By commands attack takes place
- Malicious SQL statements are inserted into the entry field
Should not be executed by external IP
- By SQL injection attack in Cyber Security, hackers can get unauthorized access to sensitive data
user passwords, personal user information, credit card details.
- Usually this type of attack remains unnoticed for long periods.
SQL Injection Examples:
UNION : You can get data from different database tables
Hidden data: You can modify SQL query to get additional results
It is code based vulnerability.
Types of SQL Injections
- In Band (Error and Union Based)
- Blind (Boolean and time based)
- Out of Bound
1. In Band: In this attackers take help of same communication channel to carry their attacks
Now In Band you have types
Error Based: In this attackers performs some actions cause which can make
database to get error messages.
By this error messages details like server versions, databases information can be known.
Union Based: It is used to know combining results of two or more select statements generated by database
2.Blind : Here data transfer not happens by web application.
Boolean Based: Attacker send SQL query to the database, ask application to return results
based on conditions like true or false.
Time based : Same here attacker send sql query to database, here database wait for some amount of time, before shared the result. This will attacker whether query is True or else false.
3. Out- of Bound : It make be result of misconfiguration error done by database administrator.
How SQL works on website?
Generally website consists of 3 Main components.
Backend: Scripting languages, Python, PERL, PHP
Serer side: Database Mysql, ORacle, MS SQL
Query is written send get request from website.
You get response back from the website in the from of HTML code.
Attacker can use SQL queries to
Delete records in a database
How to prevent SQL Injection attack?
- Input validation
- Sanitize all inputs (Example remove quotes, special characters)
- Use IPS
- Turn off visibility of database errors on production servers