SQL Injection Intro (3) | Data Manipulation Language (DML) | Cycubix Docs
Data manipulation language deals with the manipulation of data and includes the most common SQL statements. Read on to know more about data manipulation language
Data Manipulation Language (DML)
As the name says data manipulation language deals with the manipulation of data and includes the most common SQL statements such as SELECT, INSERT, UPDATE, DELETE, etc., and it is used for requesting a result set of records from database tables (select), adding (insert), deleting and modifying (update) data in a database.
If an attacker uses SQL injection of the DML type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (…) & integrity (update) (Only people authorized to read the data can do so).
DML commands are used for storing, retrieving, modifying, and deleting data.
SELECT - retrieve data from a database
INSERT - insert data into a table
UPDATE - updates existing data within a table
DELETE - Delete all records from a database table
Example:
Retrieve data:
SELECT phone FROM employees WHERE userid = 96134;
This statement delivers the phone number of the employee with the userid 96134.
It is your turn!
Try to change the department of Tobi Barnett to 'Sales'. Note that you have been granted full administrator privileges in this assignment and can access all data without authentication.
Solution
💡 Try the UPDATE statement 💡 UPDATE table name SET column name=value WHERE condition;
SQL query: UPDATE employees SET department='Sales' WHERE first_name='Tobi'
Further training
Visit Cycubix.com to find out more about our Application Security training courses. We also offer (ISC)² Official training for CISSP, SSCP, CCSP and CSSLP certifications.
Last updated