A3:2021 | SQL Injection Intro (8) | Cycubix Docs

Severity of SQL injection

The severity of SQL injection attacks is limited by

  • Attacker’s skill and imagination

  • Defense in depth countermeasures

    • Input validation

    • Least privilege

  • Database technology

Not all databases support command chaining

  • Microsoft Access

  • MySQL Connector/J and C

  • Oracle

SQL injection is more common in PHP, Classic ASP, Cold Fusion and older languages

  • Languages that do not provide parameterized query support

  • Parameterized queries have been added to newer versions

  • Early adopters of web technology (i.e. Old Code)

Not all databases are equal (SQL Server)

  • Command shell: master.dbo.xp_cmdshell 'cmd.exe dir c:'

  • Registry commands: xp_regread, xp_regdeletekey, …

Last updated