issuhub.com

CEH

(Jeff_L) #1

This chapter covers SQL injection, one of the most complex and
powerful attacks. SQL injection has a steep learning curve,
and to carry out an attack, you will need to have knowledge of
web applications, databases, and SQL—and possess a lot of patience.


The acronym SQL (pronounced sequel) stands for Structured Query

Language, a language for specifying database queries. SQL was developed

in the early 1970s by personnel working for IBM. In the late 1970s the

company that later became Oracle developed the language for one of their

own products. Soon after, IBM and Oracle both had SQL products on the

market. Today, SQL is used in many products, including Microsoft’s

SQL Server.

Attacks that use SQL target websites or web applications that are powered by a back-
end database. The attack relies on the strategic insertion of malicious code or statements
into existing queries with the intention of viewing or manipulating data that is stored in the
tables within the database. Due to the ubiquity of SQL, this attack is reasonably portable
across different platforms and database types. SQL injection attacks are a common and
dangerous mechanism for compromising websites. Many high-profile attacks are a result of
SQL injection.


To be able to carry out a SQL injection attack, you must have experience

with at least Microsoft SQL Server or Oracle Database. You should also be

comfortable writing and dissecting code. Although you can read this chap-

ter without expert knowledge, it will be to your advantage to study SQL a

bit before going too far. You will not need to write SQL code for the CEH

exam, but being able to do so would be helpful.

Introducing SQL Injection


SQL injection has been around for at least 20 years, but it is no less powerful or dangerous
than any other attack we have covered so far. It is designed to exploit flaws in a website or
web application. The attack works by inserting code into an existing line of code prior to
its being executed by a database. If SQL injection is successful, attackers can cause their
own code to run.

Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.