Win a copy of Microservices in Action this week in the Web Services forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Knute Snortum
  • Junilu Lacar
  • paul wheaton
Saloon Keepers:
  • Ganesh Patekar
  • Frits Walraven
  • Tim Moores
  • Ron McLeod
  • Carey Brown
Bartenders:
  • Stephan van Hulst
  • salvin francis
  • Tim Holloway

Types of SQL injections  RSS feed

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How many types of SQL injections are there?
 
Bartender
Posts: 9498
184
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure what you mean by "type of SQL injection". How do you distinguish between two different types?
 
Ranch Hand
Posts: 1159
9
  • Likes 2
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Does this help?  https://en.wikipedia.org/wiki/SQL_injection
 
Marshal
Posts: 67166
169
IntelliJ IDE Java jQuery Mac Mac OS X
 
Ranch Hand
Posts: 451
6
Netbeans IDE Oracle Windows
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Super explication.
 
Bartender
Posts: 598
26
Linux Notepad Oracle
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There is only one type of injection, that is, using a value for something other than a value. There is (basically) only one way to protect against this, and that is to always use bind variables for passed values.

There are some variants that might be considered another "type" of injection, but they all boil down to the same thing anyway. Just don't use dynamic SQL.
 
Rancher
Posts: 985
9
Java Linux Spring
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm guessing you're asking about parameter substitution when using dynamic SQL which is ran within a cursor?  I think it would depend upon the database product that you are using?

Informix had a nice feature allowing you to bind form variables to SQL cursors; Constuct Bt Name - Informix 4GL

In Sybase and Powerbuilder I recall their where four main types of dynamix cursors; Dynamix SQL - I'm guessing that this still applies to SQL Server since Mirco$wipe "based" their product on Sybase AS.  

I recall some horrific outsourced code I had the misfortune of modifying, a lot of nasty code that defined a type 4 SQLDA dynamic cursor.   Using SQLDA you are allowed to define a cursor in which the input parameters and types and the the result set and types are not defined until the querry runs.  Just because you can, does not mean you should however.  
 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The impact of SQL injection attacks may vary from congregation of sensitive data to manipulating database information, and from executing system-level commands to denial of service of the application.

Types of SQL Injection:

1.In-band SQLi (Classic SQLi)
2.Error-based SQLi
3.Union-based SQLi
4.Inferential SQLi (Blind SQLi)
5.Boolean-based (content-based) Blind SQLi
6.Time-based Blind SQLi
7.Out-of-band SQLi

For more information click:
https://en.wikipedia.org/wiki/SQL_injection
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!