Presentation cyber

security
Presented to;Mam Tabinda
Presenters ; (Suleman Saeed 12)
(Hamza Saeed 25)
(Shoaib chishti 26)
(Usman Tufail 14)
(Basit Khan 15)
(Abdul Ghaffar 03)
 Table of Contents

 What Is SQL Injection?

 Types of SQL Injection
 How
Does SQL Work On a We
bsite?
 How
to Prevent SQL injection?
 What Is SQL Injection?

SQL Injection is a code-based

vulnerability that allows an attacker
to read and access sensitive data
from the database. Attackers can
bypass security measures of
applications and use SQL queries to
modify, add, update, or delete
records in a database
Types of SQL Injection

In-band SQLi - The attackers use

the same communication channel
to launch their attacks and
collect results.
The two common types of in-band
SQL injections are Error-based
and Union-based SQL injection.

Error-based SQL injection - Here, the

attacker performs certain actions that
cause the database to generate error
messages. Using the error message,
you can identify what database it
utilizes, the version of the server where
the handlers are located, etc
Union-based SQL
injection

Here, the UNION SQL operator

is used in combining the
results of two or more select
statements generated by the
database, to get a single HTTP
response.
Blind SQLi

Here, it does not transfer the data via the

web application. The attacker can not see
the result of an attack in-band.

Boolean-based SQL
Injection

Here, the attacker will send an SQL query to the

database asking the application to return a
different result depending on whether the query
returns True or False.
Time-based SQL
Injection
In this attack, the attacker sends an SQL
query to the database, which makes the
database wait for a particular amount of time
before sharing the result. The response time
helps the attacker to decide whether a query
is True or False.

Out-of-bound SQL
Injection
Out-of-bound is not so popular, as it depends
on the features that are enabled on the
database server being used by the web
applications. It can be like a misconfiguration
error by the database administrator.
Out-of-bound
SQL Injection

Out-of-bound is not so popular, as it

depends on the features that are
enabled on the database server being
used by the web applications. It can be
like a misconfiguration error by the
database administrator.
How Does SQL Work On a Website?

A website has three major components -

Frontend, Backend, and Database.

 At the frontend, a website is designed

using HTML, CSS, and JavaScript.

 At the backend, you have scripting

languages such as Python, PHP, Perl, etc.
  At the backend, you have
scripting languages such as
Python, PHP, Perl, etc.

 The server side has databases such as

MySQL, Oracle, and MS SQL Server, to
execute the queries.
How to Prevent SQL injection?

 Use prepared statements and

parameterized queries

Parameterized statements ensure

that the parameters passed into the
SQL statements are treated safely

 Object-relational mapping

Most development teams prefer

to use Object Relational Mapping
frameworks to translate SQL result sets
into code objects more seamlessly.
 Escaping inputs

It is a simple way to protect against most SQL

injection attacks. Many languages have
standard functions to achieve this. You need
to be aware while using escape characters in
your code base where an SQL statement is
constructed.
Some of the other methods used to
prevent SQL Injection are:

 Password hashing
 Third-party authentication
 Web application firewall
 Purchase better software
 Always update and use patches
 Continuously monitor SQL statements
and database
Conclusion

SQL Injection attacks can exploit an

organization’s database and control a
database server behind a web
application.
Any Question ???