Test&Track

Don't have an account? Sign up

Google

Sorry, this content is only available to premium members

Sign up

Please tick the below box to proceed

I agree (or if I am under 13 my parent or guardian agrees on my behalf) to the terms and conditions of use and that:
- My test statistics may be published on the site leaderboard against my username
- My teacher(s) can review my test scores
- I can receive feedback on my tests from my teacher(s)

Please tick this box to proceed

Already have an account? Sign in

1. Read the text on the image below. Let's start at the beginning - what is SQL?

Structured Query Language

Simplified Question Lingo

Samsung Quip Language

Sentient Quotient Lizard

2. What is SQL used for?

used to structure questions and post them on the internet

used for creating games

used by hackers, and only by hackers

used in programming and designed for managing data held in a relational database management system (e.g. one linked to a website)

3. A large number of online websites that have a database driven features (e.g. have customer's signing up) will use SQL databases

4. Here is an example of an SQL statement. It is selecting the fields firstname and lastname from a table…..

…..called tblStaff for only the staff who are in the London Office

….called tblLondon where all staff are located

There are no tables being referred to in this code

….that is called the "London Office"

5. Which of the following statements about the SQL injection is true?

1 .SQL injection is a code injection technique that might destroy your database.

2. SQL injection is one of the most common web hacking techniques.

3. SQL injection is the placement of malicious code in SQL statements, via web page input.

Only 1 is true

Only 1 and 3 are true

They are all true

None of them are true

6. SQL injection usually occurs when you ask a user for input, like their username/userid, and instead of a name/id ….

The user uses physical ink to inject and corrupt your database

The user uses python programming code to hack into your mysql database

The user enters the phrase "sql injection" into the field, which will delete your database

the user gives you an SQL statement that you will unknowingly run on your database.

7. Analyse the code below. The original/intended purpose of the code was to …

create an SQL statement that prevents a hacker

create an SQL statement that allows zero input

create a text input box

create an SQL statement to select a user, with a given user id.

8. Why would or could this be dangerous?

If there is nothing to prevent a user from entering "wrong" input, the user can enter some "sly" input like shown in the image. The SQL above is valid and will return ALL rows from the "Users" table, since OR 1=1 is always TRUE.

This could never be dangerous

The "Users" table could contain names and passwords that the hacker may then see.

The "Users" table could be instantly deleted

The "Users" table could inject the hacker's own machine in a reverse attack

9. An example of an SQL injection is: A hacker might get access to all the user names and passwords in a database, by simply inserting 105 OR 1=1 into the input field.

10. Read through the example below. Why could this be dangerous?

because the SQL would be invalid and would do nothing

because the SQL would be valid and will return all rows from the "Users" table, since OR ""="" is always TRUE.

because the SQL would cause the entire contents of the database to be corrupted

because the SQL has entered rubbish, and the integrity of the database data will be affected.

11. Select which SQL statement will do what the description says.

Most databases support batched SQL statement.
A batch of SQL statements is a group of two or more SQL statements, separated by semicolons.
The SQL statement below will return all rows from the "Users" table, then delete the "Suppliers" table.

* FROM Users; DROP TABLE

SELECT FROM All; DROP TABLE Suppliers

SELECT * FROM Users; DROP TABLE Suppliers

SELECT * FROM; DO TABLE Suppliers

12. Analyse the image and what is happening below. What would the resulting SQL statement be?

SELECT * FROM Users WHERE UserId = 105;

SELECT * FROM Suppliers WHERE UserId = 105; DROP TABLE Users;

SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers;

DROP TABLE Suppliers;

13. To protect a web site from SQL injection, you can use SQL _______________

parameters

parentheses

prolife

prayers

14. SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

FALSE

TRUE

SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

TRUE

FALSE

16. SQL injection (SQLI) was considered one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project.

17. Blind SQL Injection is used when a web application is vulnerable to an SQL injection and the results of the injection are wholly visible to the attacker

18. In 2015, an SQL injection attack stole the personal details of 156,959 customers from British telecommunications company TalkTalk's servers

19. In 2009, the US Department of Justice charged an American, Albert Gonzalez, and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack

20. Put simply, an SQL injection is when a user tries to use …..

*Note: the simple answer for how to prevent an SQL injection is: The server side code must carefully validate the input information before the SQL request is formed. (e.g. the username and password may only be a certain length or would not allow spaces etc.)

extra SQL commands into the input boxes, hoping these commands will be carried out by the server

blank spaces to delete the database

extra SQL commands that are typed directly into the server's database to corrupt it

sql code to damage the website

Thank you for taking the trouble to report an error!

We will investigate and make the necessary changes.

Preview

06 - SQL Injection