Chapter 31 Β· Flashcards

SQL Injection Flashcards

Click any card to reveal its definition.

0 / 10 flipped
SQL Injection (SQLi)
Tap to reveal
A code injection attack that inserts malicious SQL commands into input fields an application passes to a database. If the application doesn't validate the input, the database executes the attacker's SQL as part of the intended query β€” allowing data theft, modification, deletion, or authentication bypass.
What makes SQL injection possible?
Tap to reveal
Bad programming β€” specifically failing to validate, sanitize, or escape user input before incorporating it into a SQL query. When an application builds queries by concatenating user input into a SQL string, the user can type SQL syntax that the database executes as commands rather than data.
OR 1=1
Tap to reveal
The classic SQL injection payload. Appending OR '1'='1' to a WHERE clause makes the condition always true, returning every row in the table. Because 1 always equals 1, this tautology bypasses intended filters. Seeing OR 1=1 in web logs is a strong indicator of a SQL injection attempt.
Parameterized Query
Tap to reveal
The primary defense against SQL injection. The developer defines the SQL structure with placeholders first (SELECT * FROM users WHERE name = ?), then binds user input as a separate data value. The database engine treats bound values as literal data β€” never as SQL code. Even SQL syntax typed by the user cannot become executable commands.
Authentication Bypass via SQLi
Tap to reveal
Injecting SQL into a login form to gain access without valid credentials. By entering ' OR '1'='1'-- as the username, the attacker makes the authentication query always return true and comments out the password check. The database returns the first user β€” often an administrator β€” granting access with no password required.
UNION-Based SQL Injection
Tap to reveal
An advanced technique appending a UNION SELECT statement to extract data from tables the original query never targeted. For example: ' UNION SELECT username, password FROM admin_users-- combines the original results with admin credential data. Allows attackers to pivot through the entire database schema from a single injection point.
Four Outcomes of SQL Injection
Tap to reveal
(1) View β€” read any data in the database; (2) Modify β€” change records, prices, or access levels; (3) Delete β€” destroy tables or entire databases (DROP TABLE); (4) Deny β€” crash the database or make it unavailable. The actual reach depends on the permissions of the database account the application uses.
Least Privilege (Database)
Tap to reveal
Granting the database account the application uses only the permissions it actually needs. A read-only application should use a SELECT-only account. If SQL injection succeeds, the attacker is limited to what the compromised account can do β€” a SELECT-only account cannot run DROP TABLE even if injected. Least privilege limits impact without preventing the injection itself.
Web Application Firewall (WAF)
Tap to reveal
A network-layer defense that detects and blocks known SQL injection patterns β€” OR 1=1, UNION SELECT, DROP TABLE, comment sequences. Valuable as a supplementary layer but not a substitute for parameterized queries. An attacker can use encoding or obfuscation to evade WAF signatures that would not fool a properly parameterized database.
Code Injection vs. SQL Injection
Tap to reveal
Code injection is the broad category β€” inserting executable code into a data stream processed by an application. SQL injection is the specific type targeting relational databases. Other code injection types include HTML injection, XML injection, and LDAP injection. On the exam: if the scenario involves a database and SQL being executed from user input, the answer is SQL injection (a type of code injection).