06 - SQL Injection

 1. Read the text on the image below. Let's start at the beginning - what is SQL?

  Structured Query Language

  Samsung Quip Language

  Sentient Quotient Lizard

  Simplified Question Lingo

 2. What is SQL used for?

  used to structure questions and post them on the internet

  used by hackers, and only by hackers

  used in programming and designed for managing data held in a relational database management system (e.g. one linked to a website)

  used for creating games

 3. A large number of online websites that have a database driven features (e.g. have customer's signing up) will use SQL databases



 4. Here is an example of an SQL statement. It is selecting the fields firstname and lastname from a table…..

  ….called tblLondon where all staff are located

  There are no tables being referred to in this code

  ….that is called the "London Office"

  …..called tblStaff for only the staff who are in the London Office

 5. Which of the following statements about the SQL injection is true?
1 .SQL injection is a code injection technique that might destroy your database.

2. SQL injection is one of the most common web hacking techniques.

3. SQL injection is the placement of malicious code in SQL statements, via web page input.

  They are all true

  None of them are true

  Only 1 is true

  Only 1 and 3 are true

 6. SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id ….

  The user uses physical ink to inject and corrupt your database

   the user gives you an SQL statement that you will unknowingly run on your database.

  The user uses python programming code to hack into your mysql database

  The user enters the phrase "sql injection" into the field, which will delete your database

 7. Analyse the code below. The original/intended purpose of the code was to …

  create an SQL statement to select a user, with a given user id.

  create an SQL statement that prevents a hacker

  create a text input box

  create an SQL statement that allows zero input

 8. Why would or could this be dangerous?
If there is nothing to prevent a user from entering "wrong" input, the user can enter some "sly" input like shown in the image. The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.

  This could never be dangerous

  The "Users" table could be instantly deleted

  The "Users" table could contain names and passwords that the hacker may then see.

  The "Users" table could inject the hacker's own machine in a reverse attack

 9. An example of an SQL injection is: A hacker might get access to all the user names and passwords in a database, by simply inserting 105 OR 1=1 into the input field.



 10. Read through the example below. Why could this be dangerous?

  because the SQL would be invalid and would do nothing

  because the SQL would be valid and will return all rows from the "Users" table, since OR ""="" is always TRUE.

  because the SQL has entered rubbish, and the integrity of the database data will be affected.

  because the SQL would cause the entire contents of the database to be corrupted

 11. Select which SQL statement will do what the description says.
Most databases support batched SQL statement.
A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.
The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.


  SELECT * FROM Users; DROP TABLE Suppliers



 12. Analyse the image and what is happening below. What would the resulting SQL statement be?

  SELECT * FROM Users WHERE UserId = 105;

  SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;

  SELECT * FROM Suppliers WHERE UserId = 105; DROP TABLE Users;

  DROP TABLE Suppliers;

 13. To protect a web site from SQL injection, you can use SQL _______________





 14. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.
The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.



 15. True or False
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.



 16. SQL injection (SQLI) was considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project.



 17. Blind SQL Injection is used when a web application is vulnerable to an SQL injection and the results of the injection are wholly visible to the attacker



 18. In 2015, an SQL injection attack stole the personal details of 156,959 customers from British telecommunications company TalkTalk's servers



 19. In 2009, the US Department of Justice charged an American, Albert Gonzalez, and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack



 20. Put simply, an SQL injection is when a user tries to use …..
*Note: the simple answer for how to prevent an SQL injection is: The server side code must carefully validate the input information before the SQL request is formed. (e.g. the username and password may only be a certain length or would not allow spaces etc.)

  extra SQL commands into the input boxes, hoping these commands will be carried out by the server

  sql code to damage the website

  extra SQL commands that are typed directly into the server's database to corrupt it

  blank spaces to delete the database