01-03-2011, 11:49 AM
[attachment=9274]
SQL INJECTION AND PREVENTION
WHAT IS SQL?
SQL stands for STRUCTURED QUERY LANGUAGE.
Structured Query Language ('SQL') is a textual language used to interact with relational databases.
SQL is used to make website.
The original version called SEQUEL (structured English query language) was designed by an IBM research center in 1974 and 1975.
• There are several ANSI/ISO standards such as ANSI 92, one of the most popular
• SQL is a universal language of databases that allows the storage, manipulation, and retrieval of data.
• Database is maintained in table form.
• SQL can perform:
o Execute queries against database.
o Retrieve data from the database.
o Insert new record in database.
o Delete a record from database.
o Update records in the database.
SQL falls into two classes:
Data Manipulation Language (DML) - SQL for retrieving and storing data.
Data Design Language (DDL) - SQL for creating, altering and dropping tables.
Databases that use SQL include MS SQL Server, MySQL, Oracle, Access and Filemaker Pro.
Tables
• In an SQL database there are tables which store information.
• Tables can store any information on a website, ranging from usernames , passwords, and addresses, to text displayed on a webpage, such as a page link or page header.
• Tables have columns in which the records (information) are kept.
• Each table has a name and each column has a name.
• Figure A below shows an example table*
• The table's name is "Names" and its columns' names are "FIRST" and "LAST ".
• This table is storing the names of people; there are two total records, "John Doe" and "Jane Smith ".
SQL QUERIES :-
The typical unit of execution of SQL is the query.
An SQL query is a request for some action to be performed on a database.
It is a collection of statements that typically return a single result set.
Using a query as this:-
SELECT lastname
FROM users
WHERE userid=1;
Will retrieve the lastname of from user table where id is 1.
Sql injection
SQL injection is a type of security exploit in which the attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make changes to data.
SQL injection attacks are also known as SQL insertion attacks.
SQL Injection is a technique to hack the database.
SQL injection is not a direct database problem but rather an application issue that indirectly affects the database system.
SQL injection is currently the most common form of website attack.