Ctrlk

A3:2021 | SQL Injection Intro (8) | Cycubix Docs

Severity of SQL injection

The severity of SQL injection attacks is limited by:

Attacker’s skill and imagination.
Defense in depth countermeasures.
- Input validation.
- Least privilege.
Database technology.

Not all databases support command chaining:

Microsoft Access.
MySQL Connector/J and C
Oracle

SQL injection is more common in PHP, Classic ASP, Cold Fusion and older languages:

Languages that do not provide parameterized query support.
Parameterized queries have been added to newer versions.
Early adopters of web technology (i.e. Old Code).

Not all databases are equal (SQL Server):

Command shell: master.dbo.xp_cmdshell 'cmd.exe dir c:'
Registry commands: xp_regread, xp_regdeletekey, …

PreviousA3:2021 | SQL Injection Intro (7) | Cycubix Docs NextA3:2021 | SQL Injection Intro (9) | Cycubix Docs

Last updated 1 year ago

Was this helpful?