SQL INJECTION

SQL injection is one of the most common web hacking techniques.

SQL injection is a code injection technique in which malicious SQL statements are inserted for backend database manipulation to access information.

SQL Injection Based on 1=1 is Always True.

SQL Injection Based on Batched SQL Statements .

A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.

SELECT * FROM Users; DROP TABLE Suppliers

Types of SQL Injection

1. Error-Based SQL Injection

2. Union-Based SQL Injection

3. Blind SQL Injection

    1. Boolean-based SQL injection

    2. Time-based SQL injection

Simple SQL Injection

An error-based SQL injection is the Simple SQL Injection or simplest type but, the only difficulty with this method is that it runs only with MS-SQL Server. In this attack, we cause an application to show an error to extract the database. Normally, you ask a question to the database, and it responds with an error including the data you asked for.

Union-Based SQL Injection

Union-Based SQL Injection uses the UNION operator. In this technique attacker combine the results of two or more SELECT statements into a single result. 

Blind SQL Injection

The blind SQL injection is the hardest type. In this attack, no error messages are received from the database; hence, we extract the data by asking questions to the database. 

The blind SQL injection is further divided into two kinds:

1. Boolean-based SQL injection

2. Time-based SQL injection

The above techniques can be used to obtain the data in the database by either asking a question or inducing a time delay.

SQL Injection prevention

Parameterized Statements

Object Relational Mapping

Escaping Inputs

Sanitizing Inputs

Principle of Least Privilege

Password Hashing

Third Party Authentication