Member-only story
Definitive Guide to SQL Injection
Introduction
There are two applications on a mobile or web—static and dynamic. The static site is just a bunch of web pages compiled together, showing you the same information every time. It doesn't display information as per the user type/role and has no interaction with a back-end database.
On the other hand, a Dynamic site fetches data from a back-end database. Depending upon the site type, it can show you data as per your taste and preferences, like Facebook and YouTube or could show you an article like medium.com.
There are different types of databases. We can group them into two classes depending on how they store data. If they store data in rows and columns, it is called a relational database or a SQL database, and if it stores data in the form of objects, it's called a non-SQL database.
Unlike non-SQL databases, SQL databases have been used for a long time and are preferred by many developers over non-SQL databases.
What is SQLi Vulnerability?
SQL Injection is a vulnerability that occurs when an attacker can fetch information from the SQL Database. This is usually the information they shouldn't have access to. It could range from access to credentials and sensitive tokens to bypassing authentication, exfiltrating data, and installing back doors.
Only SQL-type databases are vulnerable to this attack, called a SQLi Vulnerability.
A SQL injection can occur if a web application accepts a web form, input parameter (e.g., Search Query), cookie, etc., without validating and passing them directly to the database server.
The database server interprets the input as code rather than data and ends up executing it. It can have severe consequences. Some of them are mentioned below.
· Bypass Authentication
