SQL Injection For Beginners: Introduction

What is SQL

SQL or Standard Query Language is a programming language that is used to manage and perform operations in relational databases. In SQL, every single operational line is called a SQL Query.

SELECT * FROM users;

Basic Types of SQL

As a beginner, you need to know about these 3 most used types of SQL statements.

Data Definition Language (DDL)

DDL queries are used to define the schema of a database. It is used in creating databases and tables, defining the structure of the tables and the columns.

Data Manipulation Language (DML)

DML queries are used to manipulate already existing data inside a table or insert new data (rows) inside a table. It helps to edit, delete, and create rows.

Data Query Language (DQL)

DQL queries are used to fetch required data from the database. It can be used to fetch data from all the rows, fetch specific data, sort data, count data and even calculate values inside the rows.

Basic Operations using SQL

These SQL queries are used to perform basic operations in a database like CREATE, INSERT, UPDATE, SELECT, DELETE.

Create a new Database

This query creates a database called facebook. A Database is a collection of tables and is usually the same or related to the application name.

CREATE DATABASE facebook;

Create a new Table

This query creates a new table called ‘users’ with columns id, name, password, email. Here, INT and VARCHAR are the data types.

CREATE TABLE users(id INT(6),name VARCHAR(50),password VARCHAR(100),email VARCHAR(128))
CREATE TABLE users(id INT(6) AUTO_INCREMENT PRIMARY KEY,name VARCHAR(50) NOT NULL,password VARCHAR(100) NOT NULL,email VARCHAR(128) NOT NULL)

Insert a new row

This query inserts a new row in to the table ‘users’ which we previously created. This is an important query because it’s often injected with SQL payloads.

INSERT INTO users(name, password, email) VALUES ('John Doe', 'supersecret', 'john.doe@admin.com');

Select data from Table

The SELECT query is used to select row/rows from a table with given condition or logic.

SELECT * FROM users;
SELECT id FROM users WHERE email = 'john.doe@admin.com' AND password = 'supersecret';

Delete a row from Table

This query deletes a row from the table ‘users’ where id is 2. (Notice the use of quotes where ever the data is used. Strings should be surrounded with single quotes, and Numerical & Boolean Values can be used directly with any quotes.)

DELETE from users WHERE id = 6;

Conclusion

In this part, you learned about SQL Injection, SQL, its types and basic queries. This was all the pre-required knowledge you needed to actually start exploiting SQL vulnerabilities. You can now continue to the next post, where we will actually exploit the vulnerability.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Pratham Vaidya

Pratham Vaidya

I am a computer enthusiast, pursuing my deep interest in Software Development and Cyber Security