FINAL YEAR ASSIGNMENT

30354617 INFS 311

Database Systems
DG MOSHANE
1
30354617 Database Systems, Final year assignment
DG MOSHANE
 TABLE OF CONTENTS

1. SQL injection
1.1. Introduction to SQL injection
1.2. SQL injection
1.3. How SQL Injection Works Vision
1.4. Understanding How It Occurs
1.5. Understanding Web Application Operation
1.6. Different types of SQL Injection.
1.7. A list of six steps that can assist you avoid SQL injection
1.8. Practices for avoiding SQL injection flaws
2. NoSQL Database
2.1. NoSQL Database
2.2. Different types NoSQL databases
2.3. Difference between Relationship Database Management Systems and NoSQL databases
2.4. Summary comparison between NoSQL and RDMS
3. Conclusion
3.1. Referencing
4. Referencing
4.1. Conclusion

2
30354617 Database Systems, Final year assignment
DG MOSHANE
 1. SQL injection

1.2 Introduction to SQL injection

SQL Injection is the technique use by hackers for attacking a system/web app database, for them to get
illegal access to the system/database. The SQL commands are used to inject data as an input.

1.3 SQL injection

SQL Injection is the technique use by hackers for attacking a system/web app database, for them to get
illegal access to the system/database. The SQL commands are used to inject data as an input. The main
objective of SQL Injection is for attackers or hackers to trick the database/system to execute malicious
commands that can uncover business’s confidential data (Ingalls, 2021). Potential effects for successful
attack: SQL Injection access to information such as user lists, table and other more, destruction are all
possible effects for successful attacks, in other circumstances the attacker or hacker can obtain
administrator privileges to manipulate a database/system, and can steal any data saved in a database,
stolen data can include customer/sales person/employees and others: contact details, addresses for a
victim, credit card details for a victim, name and surnames and more, all of which are extremely harmful
to an organization, and in this situation; the organization loses customer loyalty and trust (SQL Injection,
2002). Open WEB Application Security Project (OWASP) defines SQL Injection as most recognized,
powerful and mostly used global attacks, as well as the deadliest.

1.3 How SQL Injection Works

Since staffs, clients, administrators and other business partners have the right to modify or change data or
information from a database/system on the web app database. Any database users that have access can
visit and be able to modify and change data (MongoDB, 2022). Here are examples of all forms users have
access in; site search engines, sign up forms, contact forms, service forms log out forms, and etc they all
provide a connection into a database back ends. The multiple points of entry may be included in "off-the-
shelf" application created precisely for an organizations web app database. The window and their
associated code are likely to have arrived from a different place, have been requested at different locations
and times, and have been used by different people (David, 2022).
The attacker/hacker uses available fields for input to access a private database/system (SQL injection).
This is done by inserting SQL commands in the available fields for input rather than the expected input
into fields od input. Coded forms give access to attacker/hacker to use them as a first step to the
database/system, at which point where the database/system data or information as well as connection to

3
30354617 Database Systems, Final year assignment
DG MOSHANE
 other databases/system on the same server connected, or even other servers connected to the network, may
become exposed. Since the fields displayed for user’s input and output allow SQL statements to access
directly the database, website features for input and output are all vulnerable to SQL injection attacks. An
attacker/hacker first need to find an input or output in the web database application that is located inside a
SQL query, for a hacker/attacker to execute harmful SQL queries against a web app database server
(Invicti, 2022). The attack must include user input in SQL statement for SQL injection attack to
successful. An attacker can now insert malicious files to the SQL query, which will be executed against
the web app database server.
1.4 Understanding How It Occurs
The most common cause of SQL injection exposures is when a databases developer fails to authenticate or
change values received through an input or output before taking them to SQL queries that will be executed
by a web application database server (Gitbook, 2021).

Attackers/hackers can only have access to run code on the web application database server, if their able to
control input data provided to a SQL query and modify it, thus, input data will be recognized as normal
code than data.

In most cases databases developers develops insecure web application database that are more vulnerable
to SQL injection, without a clear understanding and awareness of the possible safety issues of the code
that is being created to penetrate web application database server (Snyk, 2022).

Below is a picture and explanation showing a SQL Injection Attack at between an attacker/hacker,
database input text fields and database/server.

 Shows a hacker identifies a susceptible

SQL-driven website and uses input data to
insert a malicious SQL query.

 The database validates the malicious SQL

query and executes the operation.

o The hacker is given permission to

read and modify records, as well as
the ability to act as database
administrator.

4
30354617 Database Systems, Final year assignment
DG MOSHANE
 1.5 Understanding web application database operations

 Web application – According to O’Leary et al. (2017:8) is an application or program that runs on
an internet or network, and can be accessed through a Web application browser. Furthermore, it
also a computer application that is programmed in a browser supported language such C++, C#,
JavaScript, HTML and CSS and operates in a Web browser.
 A basic web application database has a back end database system and Website forms with server
side commands programmed in a language that is capable of retrieving specific portion of data or
information from a database system on several connections (Clarke, 2012:24).
 According to Clarke (2012:24) web application is characterised into 3 tiered database driven
dynamic namely:
1. The tier of presentation or Web browser
2. The tier of logic or programming language
3. As well as a storage layer
Requests are sent from the Web browser to the middle tier, which responds by querying and updating the
database.

1.6 Different types of SQL Injection.

SQL Injection can be divided into three categories. In-band SQLi, inferential SQLi, and out-of-band SQLi
are the three types of SQLi.
Here is a list of different types of SQL Injection used by attackers or hackers: 1. UNION SQL injection, 2.
Blind SQL injection, 3. Time Delay, 4. Boolean exploitation, 5. UNION SQL injection, 6. Error based SQL
injection, 7. System stored procedure, 8. Tautology, 9. End of line comment. (Gitbook, 2021).

In band SQL In band SQL is one the mostly used attack

and easy to exploit SQL injection (Invicti,
2022). This attack allows an attacker or
hacker to access information or data using
same channel of communication (Invicti,
2022). In band can be divided into Union
based SQL: combining results of two or
more SQL statements and Error based SQL:

5
30354617 Database Systems, Final year assignment
DG MOSHANE

Union based SQL
This technique is found under in band SQL it
leverages the union SQL operator to join the
out of two or more select statement into one
output which is returned as a portion HHTP
response (Invicti, 2022).
Inferential SQL
Boolean-based
This technique is found under Inferential SQL it
relies on transferring an SQL query to the
database which forces the web application to
return different results depending on the
CONDITION statement of query returns a true
or false output (Invicti, 2022). This method is
also considered slow since attackers have to
enter character by character.
Depending on the output retrieved, data or
information in HTTP results will change or
remain unchanged (Invicti, 2022). This allows
the hacker/attacker to infer if the SQL query
used returned true or false, even if the no
information returned from the database.
Out of band SQL
30354617 Database Systems, Final year assignment
DG MOSHANE
focus on the errors displayed. They are
explained in detail below:
Error based SQL
This technique is found under in band SQL it
depends on error messages retrieved from the
database server to access data or information
about the organization/structure of the
database system (Invicti, 2022). It is important
for developers to disable this error on a live
website to avoid this type of attack.
Inferential SQL is the type of injection attack
that take longer to exploit, since the attacker
or hacker has to create the database structure
by sending payloads, monitoring web apps
response and the output response of the
database server (Invicti, 2022). Inferential SQL
can be split into two: Boolean-based and time-
based. They are explained in detail below:
Time-based SQL
This technique is found under Inferential SQL it
is responsible for sending a SQL query to the
web application database which cause the web
application database to wait for certain specific
duration(seconds) before sending a response
(Invicti, 2022). This method is also considered
slow since attackers have to enter character by
character, especial large web application
database.
Inferential SQL is the type of injection attack
that is common not used, since many
developers have knowledge on how to
6
 prevent it on the web application database
server. This attack occurs when a
hacker/attacker the results of the hacker’s
activities is received using another channel
(Invicti, 2022). If this technique succeed it can
also give an attacker access to time based
attack, this can only occurs if the response
from server is not stable enough.

The picture below shows steps on how Error based SQL injection is used to retrieve data from the web
application database:

Preventing SQL Injection is not easy. The type of SQL vulnerability, web application database, and the
programming language used to program the web application: all hinders the prevention strategies
implemented Clarke (2012:42). But their still some proven strategic rules that web application database
can follow in order to reduce the attacks used to keep the web application database secure Clarke
(2012:24).

1.7 A list of six steps that can assist you avoid SQL injection

7
30354617 Database Systems, Final year assignment
DG MOSHANE
 1.8 Here are some practices for avoiding SQL injection flaws

8
30354617 Database Systems, Final year assignment
DG MOSHANE
 Different Practices Explanations

Stored Procedures SQL injection is not always safe in stored

procedures (Snyk, 2022). When used safely,
however, several conventional stored procedure
programming structures have the same impact as
parameterized queries (Snyk, 2022). It is necessary
to construct SQL statements with automatically
parameterized arguments. The distinction between
prepared statements and stored procedures is that a
stored procedure's SQL code is defined and saved
in the database, then invoked from the application
(Snyk, 2022).

Prepared Statements Prepared statements are simple to create and

understand than dynamic queries when used with
parameterized queries. Parameterized queries
require the developer to write all of the SQL code
initially, then supply each parameter to the query
later (Snyk, 2022). Regardless of what user input is
provided, this coding style allows the database to
distinguish between code and data (Snyk, 2022).

9
30354617 Database Systems, Final year assignment
DG MOSHANE
 Escaping All User-Supplied Input Before entering user input into a query, this
approach is used to escape it (Ingalls, 2021). In
terms of implementation, it's fairly database
specific (Ingalls, 2021). Retrofitting legacy code is
usually only recommended when implementing
input validation isn't cost effective. Parameterized
queries, stored procedures, or any form of Object
Relational Mapper that constructs your queries for
you should be used to build or rewrite applications
that are created from the ground up or require a low
risk tolerance (Ingalls, 2021).

Whitelist Input Validation the names of tables and columns, as well

as the sort order indicator, are not allowed to be
used as bind variables in SQL queries (Ingalls,
2021). In such cases, input validation or query
redesign are the most suitable options. The names
of tables and columns should ideally come from the
code rather than from user settings. However, if
user parameter values are used to target various
database and column names, the parameter value
should be translated to the legal/expected table or
column names to ensure that invalidated user input
is not included in the query (Ingalls, 2021).

10
30354617 Database Systems, Final year assignment
DG MOSHANE
 2. NoSQL Database

2.1. NoSQL Database

NoSQL is a database management system that places a premium on high availability, scalability, and
performance. In a SQL system database with repetition of data, it is impossible to ensure all three
desirable features at the same time which include Consistency, Availability and Partition tolerance
(Johnson, 2022). In NoSQL, a lower consistency level is sometimes tolerated in order to guarantee the
other two qualities. In reality, NoSQL systems frequently use a consistency model known as eventual
consistency. However, certain NoSQL databases, such as Neo4j, use additional methodologies and
strategies to comply with the ACID paradigm.
Scalability: Horizontal scalability is commonly utilized in NoSQL systems to achieve scalability. As the
volume of data expands, horizontal scalability refers to growing the system by adding more nodes for data
storage and processing (Johnson, 2022).
Availability: The increased expectations for continuous system availability are one impetus for NoSQL.
To do this, data is replicated across multiple nodes, ensuring data availability even if some nodes fail.
Performance: Individual records must be found from millions of data records in many NoSQL apps.
Hashing and range partitioning on keys are two approaches commonly employed in NoSQL systems to
achieve great performance (Johnson, 2022).
Consistency: Two alternative replication models, master-slave and master-master replication, are
commonly used to achieve eventual consistency. The master-slave approach is more consistent, whereas
the master-master form is more accessible (Johnson, 2022).

2.2. Different types NoSQL databases

11
30354617 Database Systems, Final year assignment
DG MOSHANE
 Main 4 types NoSQL database

Column Oriented

A database management system (DBMS) that traditional save data tables as columns not rows is known as
a column oriented DBMS (MongoDB, 2022). The table name, row key, column, and timestamp are
typically multidimensional components of column oriented systems. A column usually contains two parts:
a column qualifier and column family (MongoDB, 2022). Instead of browsing and deleting unneeded data
in rows, the database may accurately access the data it needs to accomplish a SQL query by storing it this
method (MongoDB, 2022). As a result, query performance is frequently improved, particularly in large
sets of data.

Google's BigTable is an example. Bigtable is a distributed column-oriented NoSQL database service for
massive analytical and operational workloads with great performance. Bigtable, according to Google,
provides a wide range of applications, scalability, high performance, and high availability.

Document Oriented

Data is often stored in document-oriented NoSQL systems as groups of comparable documents

(MongoDB, 2022). Because all documents are specified as self-descriptive data, there is no need to
specify a schema. Despite the fact that documents in a collection should be comparable, data attributes can
differ. JSON is a document specification language that is widely used.

MongoDB, for example, is a schema-free document-oriented NoSQL database system that stores
documents in BSON format. MongoDB Inc., originally known as 10gen Inc., created it, and it was first
released in 2009. Documents with a similar structure are grouped together as collections in MongoDB,
and each document can have several fields. A new field can be introduced to a document without affecting
other papers in the system by updating the central system catalog. This method is called dynamic schema.

Key-value Stores

This data model stores data in a key-value structure, as the name of this type of NOSQL database suggests
(MongoDB, 2022). The key is a one-of-a-kind object associated with a data item that is used to quickly
locate the data item on physical drives (MongoDB, 2022). In real-time operations, this key-value format
allows for high-speed read and write processing (MongoDB, 2022). Furthermore, to achieve scalability

12
30354617 Database Systems, Final year assignment
DG MOSHANE
 and availability, data can be horizontally partitioned and replicated throughout a cluster. Complex query
languages, on the other hand, cannot be implemented on the structure.

For example, Amazon's DynamoDB is a cloud-based NoSQL database built on key-value store principles.
Except for the primary key, DynamoDB is schemaless, which means there is no preset schema for table
names, column names, or data types. A name-value pair in an item is a single-valued or multi-valued set
of values.

Since key value pairs are designed with simpler and less restrictive data structures than RDBMS,
DynamoDB is extremely scalable with low latency and great speed.

Graph-Oriented

The design of a graph-oriented database takes use of the node-edge relationship's simple structure and
turns it into a well-defined database system (MongoDB, 2022). The data in a graph database is represented
as a collection of nodes and edges. Labelling nodes and edges to indicate the types of things and
relationships they represent is possible (MongoDB, 2022). Data relationships, like RDBMs, are often
stored in data and accessed using the SQL keyword 'join.' When a database contains a lot of relationships,
however, it slows down since joining tables costs a lot of time and money. Graph databases, on the other
hand, explicitly store relationships, allowing for simple and quick retrieval of complicated hierarchical
systems.

In Neo4j, an example of nodes and relationships.

Where the labels 'Person' and 'Movie' are optional
for node labels developed by Neo Technology Inc.

2.3. Difference between Relationship Database Management Systems and NoSQL databases.

13
30354617 Database Systems, Final year assignment
DG MOSHANE
 The table below shows the differences between Relationship Database Management Systems and
NoSQL databases.

Relationship Database Management NoSQL databases

Systems
The database is organized in a relational Data is stored in a variety of databases, each
model with rows and columns (David, with its own data storage strategy (David,
2022). 2022).
A row contains general information about It adheres to dynamic schemas, which
an item, whereas columns contain particular means you can add columns at any time.
details.
The columns are defined and locked before Horizontal scaling is supported. Multiple
data is entered, so it follows a predefined servers can be used to scale. When
schema. Each column's data is contained in compared to vertical scaling, several servers
each row (David, 2022). are inexpensive commodity hardware or
cloud instances, making scaling cost
effective (David, 2022).
Allow vertical scaling. Scaling an RDBMS ACID Non-Compliant
across numerous servers is a time-
consuming and difficult task (David, 2022).
Compliant with atomicity, consistency,
isolation, and durability

2.4. Comparison between NoSQL and RDMS

Summary comparison between NoSQL and RDMS

14
30354617 Database Systems, Final year assignment
DG MOSHANE
 Features NoSQL Databases RDMS
Performance High Low
Scalability High High but is more expensive
Data Storage Designed to handle large Large to medium-sized
amounts of data
Consistency Poor Good
Availability Good Good
Reliability Poor Good

3. Conclusion

3.1 Conclusion

15
30354617 Database Systems, Final year assignment
DG MOSHANE
 In this documents we discussed SQL injection as an attack, and how it works/occurs, and different types
of approach that can be used to perform this attack. And we highlighted practices that can be used to
improve the security of the web application database, however this practices do not guarantee full security
to the database server, since more tools are being continuous programmed by attackers.
We also discussed NoSQL Database, how they work and provided the different between RDMS and
NoSQL. According to Oracle (2022: 29) NoSQL is better that RDMS since is more secure compared to
RDMS, the weakness is that it complicated to develop compared to NoSQL.

4. Referencing

4.1Referencing

16
30354617 Database Systems, Final year assignment
DG MOSHANE
 Clarke, J., 2012. SQL Injection Attacks, Waltham: Elsevier.

David, M., 2022. Simple learn. https://www.simplilearn.com/difference-between-nosql-and-relational-

database-systems-article Date of Access: 09 june. 2022.

O'Leary, L.J., O'Leary, L.D., O'Leary, D.A., 2017. COMPUTING ESSENTIALS. New York: McGraw-Hill
Education.

Gitbook, 2021. Gitbook. https://ktflash.gitbooks.io/ceh_v9/content/132_types_of_sql_injection.html Date

of Access: 09 June. 2022.

Ingalls, S., 2021. esecurity planer.https://www.esecurityplanet.com/threats/how-to-prevent-sql-injection-

attacks Date of Access: 9 June. 2022.

Invicti, 2022. Acunetix.https://www.acunetix.com/websitesecurity/sql-injection2/ Date of Access: 09 June.

2022.

Johnson, J., 2022. bmc. https://www.bmc.com/blogs/cap theorem/#:~:text=CAP%20Theorem%20for

%20Databases%3A%20Consistency%2C%20Availability%20%26%20Partition%20Tolerance,
December%209%2C%202020&text=The%20CAP%20theorem%20is%20a,or%20availability
%E2%80%94but%20not%20both Date of Access: 09 June. 2022.

MongoDB, 2022. MongoDB. https://www.mongodb.com/scale/types-of-nosql-databases Date of Access:

09 June. 2022.

MySQL, 2022. Oracle. https://www.mysql.com/ Date of access: 7 June. 2022.

Joshi, S., 2005. SQL injection attack and defense: Web Application and SQL injection.
http://www.securitydocs.com/library/3587 Date of Access: 09 June. 2022.

Snyk, 2022. GlobalDots. https://www.globaldots.com/resources/blog/8-best-practices-to-prevent-sql-

injection-attacks/ Date of Access: 09 June. 2022.

SQL Injection.2002.SPI Dynamics, Inc.

http://www.spidynamics.com/assets/documents/WhitepaperSQLInjection.pdf Date of Access: 09 June.
2022.

17
30354617 Database Systems, Final year assignment
DG MOSHANE