SQL injection (SQLi) vulnerabilities can be catastrophic because they can allow an attacker to view, insert, delete, or modify records in a database. In injection attack, the attacker inserts, or injects, partial or complete SQL queries via the web application. The attacker injects SQL commands into input fields in an application or a URL in order to execute predefined SQL commands.

A Brief Introduction to SQL

As you may know, the following are some of the most common SQL statements (commands):

• SELECT: Used to obtain data from a database
• UPDATE: Used to update data in a database
• DELETE: Used to delete data from a database
• INSERT INTO: Used to insert new data into a database
• CREATE DATABASE: Used to create a new database
• ALTER DATABASE: Used to modify a database
• CREATE TABLE: Used to create a new table
• ALTER TABLE: Used to modify a table
• DROP TABLE: Used to delete a table
• CREATE INDEX: Used to create an index or a search key element
• DROP INDEX: Used to delete an index

Typically, SQL statements are divided into the following categories:

• Data definition language (DDL) statements
• Data manipulation language (DML) statements
• Transaction control statements
• Session control statements
• System control statements