SQL Injection (SQLi)
All kinds and forms of SQLi for discussion and questioning
Last updated
All kinds and forms of SQLi for discussion and questioning
Last updated
SQL Injection is a form of database attack to query/modify data from the database. Attackers can obtain results that may belong to other users. SQLi can be extended to compromise backend server or cause denial of service.
Error Based
Cannot see query output but can see errors, make use of errors to formulate exploit
Union Based
Commonly using Order By / Group By with Union
Blind Based
No output or errors but contents on webpage may differ depending if query is true or false
Timed Based
Test if query response takes longer than normal to load the content
By using a prepared statement rather than concatenation of strings, SQLi will be greatly reduced to prevent possible attacks from untrusted user input
A step further in using prepared statement would be to use stored procedures that hold fully prepared statements within the database to query itself without the need of user input