Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Hack a Database.  What is SQL?  Database Basics  SQL Insert Basics  SQL Select Basics  SQL Where Basics  SQL AND & OR Basics  SQL Update.

Published byJoleen Dixon Modified over 9 years ago

Similar presentations

Presentation on theme: "How to Hack a Database.  What is SQL?  Database Basics  SQL Insert Basics  SQL Select Basics  SQL Where Basics  SQL AND & OR Basics  SQL Update."— Presentation transcript:

1 How to Hack a Database

2  What is SQL?  Database Basics  SQL Insert Basics  SQL Select Basics  SQL Where Basics  SQL AND & OR Basics  SQL Update Basics  SQL Delete Basics  SQL Injection Basics

3  Basic Database Functions  Structured Query Language  Common Language For Varity of Databases  ANSI Standard  Database Specific Extensions  Uses Common Baseline Syntax  Scripting Language  Allows Comments (--)  Semicolon Terminates Command (;)

4  Pros:  Very Flexible  Universal (Oracle, SQL Server, MySQL)  Relatively Few Commands to Learn  Cons:  Requires Detailed Knowledge of the Structure of the Database  Can Provide Misleading Results

5 FFour Basic Operations CCRUD CC – Create (Insert) RR – Read (Select) UU – Update DD – Delete

6 IINSERT – Allows Data to be Inserted into Database TThree Basic Components TTable CColumn(s) VValues

7 SSyntax IINSERT INTO t able ( column(s) ) VALUES ( value(s) ) TTable – Name of Table Data is Being Stored In CColumn(s) – Name of Column, or Columns, to Insert Data Into VValue(s) – Values to Insert NNote : Columns and Values Must be in Same Order

8  Select – Select Data from Database  Syntax  SELECT column(s) FROM table WHERE condition  Column(s) – Column, or Columns, Names to Retrieve  “*” – Means All Columns from table  Table – Table Name to Get Data From  Can be more than one table

9  Example  Select state_name, state_abbr FROM states  Select * FROM agencies

10  Where Clause  Added to Refine Result Set  Uses Conditional Operators  =,>,>=, )  Between x AND y  IN ( list )  LIKE ‘ %string ’ (“%” us a wild-card)  IS NULL  NOT {BETWEEN / IN / LIKE / NULL}

11  Examples  SELECT * FROM annual_summaries WHERE sd_duration_code = ‘1’  SELECT state_name FROM states WHERE state_population > 15000000  SELECT * FROM annual_summaries WHERE sd_duration_code IN (‘1’,’W’,’X’) AND annual_summary_year = 2000

12  Multiple WHERE conditions are Linked by AND / OR Statements  “AND” – All Conditions True  “OR” – At Least One Condition is TRUE  Group with ()

13  Allows Changes to Row(s) of Data in a Table  Three Basic Parts  Name of Table to Update  Column Name to Update  Value to Update  Can Update More Than One Column at a Time  Can Include Where Clause to More Refined Update

14 SSyntax UUPDATE t able SET c olumn = v alue WHERE c olumn = value EExample UUPDATE clubs SET ClubName = ‘Club 1’ WHERE ClubID = 1

15  Allows for Data to be Removed from the Database  One Required Part  Table Name  Can Delete All Data in Table, or Just Selected Data  One Optional Part  WHERE Clause – Allows for Selective Delete

16  Syntax  DELETE FROM table WHERE column = value  Table – Name of Table to Remove Data from  Column – Name of Column in Table  Value – Value that is in the Column  Example  DELETE FROM clubs (Deletes all Data in Table)  DELETE FROM clubs WHERE ClubID = 1

17  SQL Takes Advantage of Poor Programming  Inserting SQL Commands into Input Field for Exploitation  Example User Name / Password Input (admin, admin) Into SQL:  SELECT * FROM users WHERE username = ‘admin’ AND password = ‘admin’  Returns Data for User admin Where Password is admin

18  SQL Injection Input (admin, ‘ or 1 = 1 --)  SELECT * FROM users WHERE username = ‘admin’ AND password = ‘’ or 1 = 1 --  Returns Data for User admin Where Password is Empty OR 1 = 1 (Always True)  Note : This will Return All Data in Table

19  Can Create New User  Using Same User Name / Password Example  Input (admin, ’;INSERT INTO Users VALUES ('Hijack','This') --  SQL  SELECT * FROM users WHERE username = ‘admin’ AND password = ’’;INSERT INTO Users VALUES ('Hijack','This') --  Note : Creates a New User (Hijack) with a Password (This)

20  Can Create Table Values  Using Same User Name / Password Example  Input (admin, ’;UPDATE Orders Set Amount=0.01--  SQL  SELECT * FROM users WHERE username = ‘admin’ AND password = ’’;UPDATE Orders Set Amount=0.01--  Note : Sets all Order Amounts to one cent

21  SQL  http://w3schools.com/sql/sql_syntax.asp http://w3schools.com/sql/sql_syntax.asp  http://www.teach- ict.com/as_as_computing/ocr/H447/F453/3_3_9/s qlintro/miniweb/index.htm http://www.teach- ict.com/as_as_computing/ocr/H447/F453/3_3_9/s qlintro/miniweb/index.htm  SQL Injection  http://zerofreak.blogspot.com/2012/01/chapter2- basic-sql-injection-with-login.html http://zerofreak.blogspot.com/2012/01/chapter2- basic-sql-injection-with-login.html  Practice Site  http://google-gruyere.appspot.com/ http://google-gruyere.appspot.com/

Download ppt "How to Hack a Database.  What is SQL?  Database Basics  SQL Insert Basics  SQL Select Basics  SQL Where Basics  SQL AND & OR Basics  SQL Update."

Similar presentations

Day 9. SELECT INSERT UPDATE DELETE » The standard UPDATE statement. UPDATE table SET field1=val1, field2=val2 WHERE condition » Multiple table UPDATE.

Day 9. SELECT INSERT UPDATE DELETE » The standard UPDATE statement. UPDATE table SET field1=val1, field2=val2 WHERE condition » Multiple table UPDATE.
Aqua Data Studio. Find the application We are using Aqua Data Studio v11.

Aqua Data Studio. Find the application We are using Aqua Data Studio v11.
Basic SQL Introduction Presented by: Madhuri Bhogadi.

Basic SQL Introduction Presented by: Madhuri Bhogadi.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Introduction to Structured Query Language (SQL)

Introduction to Structured Query Language (SQL)
Introduction to Structured Query Language (SQL)

Introduction to Structured Query Language (SQL)
A Guide to MySQL 3. 2 Objectives Start MySQL and learn how to use the MySQL Reference Manual Create a database Change (activate) a database Create tables.

A Guide to MySQL 3. 2 Objectives Start MySQL and learn how to use the MySQL Reference Manual Create a database Change (activate) a database Create tables.
CSC 2720 Building Web Applications Database and SQL.

CSC 2720 Building Web Applications Database and SQL.
Chapter 5 Data Manipulation and Transaction Control Oracle 10g: SQL

Chapter 5 Data Manipulation and Transaction Control Oracle 10g: SQL
DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.

DAT702.  Standard Query Language  Ability to access and manipulate databases ◦ Retrieve data ◦ Insert, delete, update records ◦ Create and set permissions.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
Chapter 5 Introduction to SQL. Structured Query Language = the “programming language” for relational databases SQL is a nonprocedural language = the user.

Chapter 5 Introduction to SQL. Structured Query Language = the “programming language” for relational databases SQL is a nonprocedural language = the user.
1 Chapter 8 – Working with Databases spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science and Technology.

1 Chapter 8 – Working with Databases spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science and Technology.
CPS120: Introduction to Computer Science Information Systems: Database Management Nell Dale John Lewis.

CPS120: Introduction to Computer Science Information Systems: Database Management Nell Dale John Lewis.
ASP.NET Programming with C# and SQL Server First Edition

ASP.NET Programming with C# and SQL Server First Edition
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Chapter 7 PHP Interacts with Ms. Access (Open DataBase Connectivity (ODBC))

Chapter 7 PHP Interacts with Ms. Access (Open DataBase Connectivity (ODBC))
Copyright © 2003 Pearson Education, Inc. Slide 8-1 The Web Wizard’s Guide to PHP by David Lash.

Copyright © 2003 Pearson Education, Inc. Slide 8-1 The Web Wizard’s Guide to PHP by David Lash.
Chapter 10 Queries and Updating Part C. SQL Copyright 2005 Radian Publishing Co.

Chapter 10 Queries and Updating Part C. SQL Copyright 2005 Radian Publishing Co.

Similar presentations

Ads by Google