In order to understand the SQL injection flaw, initially you need to have some knowledge of SQL. First, let's look at some basic database concepts:
- Column or field: A column or field is one particular piece of data referring to a single characteristic of all entities, such as username, address, or password.
- Row or record: A row or record is a set of information, or group of field values, related to a single entity, for example, the information related to a single user or a single client.
- Table: A table is a list of records containing information about the same type of elements, for example, a table of users, products, or blog posts.
- Database: A database is the whole set of tables associated with the same system or group of systems and usually related to each other. For example, an online store database may contain tables of clients, products, sales, prices, suppliers, and staff users.
To get information for such a complex structure, almost all modern programming languages and Database Management Systems (DBMS) support the use of SQL. SQL allows the developer to perform the following actions on the database:
|
Statement |
Description |
|
CREATE |
This is used to create databases and tables |
|
SELECT |
This allows information to be retrieved from the database |
|
UPDATE |
This allows modification of existing data in the database |
|
INSERT |
This allows the insertion of new data in the database |
|
DELETE |
This is used to remove records from the database |
|
DROP |
This is used to delete tables and databases permanently |
Other more sophisticated functionalities, such as stored procedures, integrity checks, backups, and filesystem access are also supported, and their implementation is mostly dependent on the DBMS used.
Most of the legitimate SQL operative tasks are performed using the preceding statements. The DELETE and DROP statements, however, can cause the loss of information if their usage is not controlled. In penetration testing, attempting SQL Injection attacks with DROP or DELETE is discouraged, or should I say forbidden, unless explicitly required by the client.