SQL Injection - Salem73616C656D/reading-notes GitHub Wiki
Key Takeaways
Why It Matters
- SQL is a major database search and filtration method and is used in MOST databases
- An attacker with basic SQL knowledge is able to exploit a web application that hasn't been properly secured.
Why Use Web Frameworks
- In general, web frameworks prevent SQL injection attacks by providing easy methods of data querying so that developers aren’t seduced into writing hideously vulnerable SQL string concatenation statements.
- First, they offer specific user input sanitization countermeasures to defeat common SQL Injection patterns: the framework will strip NULL characters, line breaks, single quotes, etc. that are often used to piggyback additional SQL commands into an intended query.
- Second, they provide a syntax for declaring what a SQL statement is supposed to look like before actually trying to execute it. Depending on what framework you’re using, the name may vary, but the intent is the same: make sure that the form of the SQL statement that you want to execute is correct prior to running it.
Vocabulary
SQL
- (Structured Query Language) is a standardized programming language that's used to manage relational databases and perform various operations on the data in them.
SQL Injection
- also known as SQLI, is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed. This information may include any number of items, including sensitive company data, user lists or private customer details.