Wrapping up – (No-)SQL injection in theory
OK; that was quite a lot of information. Let's have a recap of what we were dealing in this theoretical section so far.
SQL injection can be used by attackers in a variety of scenarios. In this chapter, we have seen examples regarding two common purposes, as follows:
- Obtaining undisclosed information about the database or its content, through database exploration or inference techniques
- Gaining privileged access to applications that use a shared database system
Limiting application functionality could also be possible using SQL statements such as DROP
, or through modification of vital information in a database, such as login information.
In this chapter, we added another very important tool to be used within SQL statements, as follows:
UNION
can be added to existing statements to return results pertaining to another query within the same result table. To function properly, it's necessary that...