A3:2021 | SQL Injection Intro (8) | Cycubix Docs
Severity of SQL injection
The severity of SQL injection attacks is limited by:
- Attacker’s skill and imagination.
- Defense in depth countermeasures.
- Input validation.
- Least privilege.
- Database technology.
Not all databases support command chaining:
- Microsoft Access.
- MySQL Connector/J and C
- Oracle
SQL injection is more common in PHP, Classic ASP, Cold Fusion and older languages:
- Languages that do not provide parameterized query support.
- Parameterized queries have been added to newer versions.
- Early adopters of web technology (i.e. Old Code).
Not all databases are equal (SQL Server):
- Command shell:
master.dbo.xp_cmdshell 'cmd.exe dir c:'
- Registry commands:
xp_regread, xp_regdeletekey, …