5. SQL Injection vulnerabilities and attack methods

This series of articles is dedicated to the basics of the SQL (Structured Query Language) and vulnerabilities in databases that use this language.

Modern websites extensively use databases to store various types of data. These include:

  • Texts for articles displayed in the browser. The text you read is also stored in the database and retrieved from it when a specific request occurs.
  • Names, descriptions of various products, and their prices. These apply to online stores.
  • Lists of users and their passwords.

This is far from an exhaustive list of stored data.

By using parameters in GET and POST requests, the user submits a specific request to the web application. The application generates an SQL query into which it inserts values obtained from GET/POST requests. After retrieving data from the database, the application sends them back to the user in the format requested by the user, such as JSON, HTML, and other formats.

I believe you've already guessed where the vulnerability lies. It lies in how the application handles incoming user data. A user can pass any values to the server, and without proper data filtering and validation, this can lead to disastrous results.

To understand how SQL Injection methods work, it's essential first to study the syntax of SQL queries. In the next lesson, we will delve into the basics of SQL and learn how to formulate queries to interact with databases. You will learn how to extract, delete, and modify information in databases.

Then we will explore various methods for hacking databases and practice on vulnerable applications.