SQL Injection Intro (5) | Data Control Language (DCL) | Cycubix Docs
Data control language is used to create privileges to allow users to access and manipulate the database. Learn more about Data Control Language (DCL) now
Data Control Language (DCL)
Data control language is used to create privileges to allow users to access and manipulate the database.
If an attacker uses SQL injection of the DCL type to manipulate your database, he will violate the following of the three protection goals in information security: confidentiality (grant) & availability (revoke) (Unwanted people could grand themselves admin privileges or revoke the admin rights from an administrator)
DCL commands are used for providing security to database objects.
GRANT - allow users access privileges to the database
REVOKE - withdraw users access privileges given by using the GRANT command
Example:
GRANT CREATE TABLE TO operator;
This statement gives all users of the operator-role the privilege to create new tables in the database.
Try to grant the usergroup "UnauthorizedUser" the right to alter tables:
Solution
💡 Look at the example. There is everything you will need.
SQL query: GRANT ALTER TABLE TO UnauthorizedUser
Further training
Visit Cycubix.com to find out more about our Application Security training courses. We also offer (ISC)² Official training for CISSP, SSCP, CCSP and CSSLP certifications.
Last updated