• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Jeanne Boyarsky
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Junilu Lacar
  • Knute Snortum
Saloon Keepers:
  • Ron McLeod
  • Ganesh Patekar
  • Tim Moores
  • Pete Letkeman
  • Stephan van Hulst
Bartenders:
  • Carey Brown
  • Tim Holloway
  • Joe Ess

Types of SQL injections  RSS feed

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How many types of SQL injections are there?
 
Saloon Keeper
Posts: 9137
172
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure what you mean by "type of SQL injection". How do you distinguish between two different types?
 
Ranch Hand
Posts: 1154
9
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Does this help?  https://en.wikipedia.org/wiki/SQL_injection
 
Author and ninkuma
Marshal
Posts: 66786
168
IntelliJ IDE Java jQuery Mac Mac OS X
 
Ranch Hand
Posts: 442
6
Netbeans IDE Oracle Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Super explication.
 
Bartender
Posts: 598
26
Linux Notepad Oracle
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is only one type of injection, that is, using a value for something other than a value. There is (basically) only one way to protect against this, and that is to always use bind variables for passed values.

There are some variants that might be considered another "type" of injection, but they all boil down to the same thing anyway. Just don't use dynamic SQL.
 
Rancher
Posts: 964
9
Java Linux Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm guessing you're asking about parameter substitution when using dynamic SQL which is ran within a cursor?  I think it would depend upon the database product that you are using?

Informix had a nice feature allowing you to bind form variables to SQL cursors; Constuct Bt Name - Informix 4GL

In Sybase and Powerbuilder I recall their where four main types of dynamix cursors; Dynamix SQL - I'm guessing that this still applies to SQL Server since Mirco$wipe "based" their product on Sybase AS. 

I recall some horrific outsourced code I had the misfortune of modifying, a lot of nasty code that defined a type 4 SQLDA dynamic cursor.   Using SQLDA you are allowed to define a cursor in which the input parameters and types and the the result set and types are not defined until the querry runs.  Just because you can, does not mean you should however. 
 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The impact of SQL injection attacks may vary from congregation of sensitive data to manipulating database information, and from executing system-level commands to denial of service of the application.

Types of SQL Injection:

1.In-band SQLi (Classic SQLi)
2.Error-based SQLi
3.Union-based SQLi
4.Inferential SQLi (Blind SQLi)
5.Boolean-based (content-based) Blind SQLi
6.Time-based Blind SQLi
7.Out-of-band SQLi

For more information click:
https://en.wikipedia.org/wiki/SQL_injection
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!