Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

SQL Injection

what is sql injection?

SQL Injection is another form of vulnerability that attacks the database.

What is SQL?

SQL stands for Structured Query Language, and you can think of it as another programming language that allows us to get information out of a 'database'.

Think of a database like a giant dictionary. You can look things up, and pull information. Say you wanted to look up 'all the words that began with the letter K'. This is something that you could do with SQL.

The issue begins when we perform queries like 'Give me all the users that ...' and the user is able to inject their custom phrases into that sentence. For example, the attacker might say 'have a username of 'bob''. Then, without checking, the computer would execute the query 'Give me all the users that have a username of bob'.

common sql injection patterns

Here is the most common SQL Injection pattern... This may come in handy for the tasks.

' OR '1'='1'

tasks

  1. On the website, you are to find where you could possibly use SQL Injection. What are some common places that these vulnerabilities are found?

helpful sites