Data Definition Language (DDL)

Data definition language includes commands for defining data structures, especially database schemas which tell how the data should reside in the database.

If an attacker uses SQL injection of the DDL type to manipulate your database, he will violate the following of the three protection goals in information security: integrity (alter) & availability (drop). (Only people authorized to change/delete the data can do so.)

• DDL commands are used for creating, modifying, and dropping the structure of database objects.

• CREATE - to create a database and its objects like (table, views, …)

• ALTER - alters the structure of the existing database

• DROP - delete objects from the database

• Example:

  • CREATE TABLE employees( userid varchar(6) not null primary key, first_name varchar(20), last_name varchar(20), department varchar(20), salary varchar(10), auth_tan varchar(6) );

  • This statement creates the employees example table given on page 2.

Now try to modify the scheme by adding the column "phone" (varchar(20)) to the table "employees". :

Solution

💡 ALTER TABLE alters the structure of an existing database 💡 Do not forget the data type of the new column (e.g. varchar(size) or int(size)) 💡 ALTER TABLE table name ADD column name data type(size);

SQL query: ALTER TABLE employees ADD phone varchar(20)

Further training

Visit Cycubix.com to find out more about our Application Security training courses. We also offer (ISC)² Official training for CISSP, SSCP, CCSP and CSSLP certifications.