|
-
March 13th, 2008, 03:09 PM
#3
There are many different versions of SQL; however, there is a standard base that most SQL implementations support. The standard is ANSI-SQL because it is governed by ANSI Standards.
(Side note SQL does NOT stand for anything) SQL began in an IBM laboratory in San Jose, CA. many years ago. From that Transact Sequel kind of evolved. Well Right around the time Microsoft got its hands on transact – IBM sued for the copyrights of the name Sequel and Structured Query Language. So technically, SQL doesn’t stand for anything ‘cause IBM’s lawyers say so…
Back to the answer…
Microsoft SQL Server uses a version of SQL know as Transact-SQL that is an extension of the ANSI-SQL standard. This means that M$SQL supports not only ANSI-SQL but system commands that are unique only to Microsoft SQL.
There are three basic kinds of Transact-SQL
- Data Definition Language (DDL) Statements: These allow you to create objects in the database:
CREATE; DROP; ALTER
- Data Control Language (DCL) Statements; These allow you to determind who can see of modify data in the database:
GRANT; RESERVE; DENY
- Data Manipulation Language (DML) Statements: These allow you to query and modify data in the database. And are the most important when looking for SQL injection vulnerabilities.
SELECT; INSERT; UPDATE; DELETE
This being said, one can inject any statement into a VALID SQL statement
SELECT * FROM users WHERE name = 'a' OR 't'='t';If this code were to be used in an authentication procedure then this example could be used to force the selection of a valid username because the evaluation of 't'='t' is always true.
In the above example
“OR ‘t=t’ is the injected string. Since the SELECT statement is valid and the evaluation of t is valid. All RDMS running any version of Transact-SQL will accept the above statement.
Yea I know that example is intro to DB 101 but it lends to the question of what’s the difference.
Really NONE.
If you want to manipulate a known vulnerability at the database level, then you have to know the exact syntax. Simply because if it’s at the DB level, it’s DB specific command. However, if it’s web vulnerability, standard SELECT; UPDATE commands will work just fine.
To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, user input must be escaped, or parameterized statements must be used.
Hope this helps
09:F9:11:02:9D:74:E3:5B  8:41:56:C5:63:56:88:C0
Similar Threads
-
By mikester2 in forum Other Tutorials Forum
Replies: 5
Last Post: January 31st, 2005, 01:16 PM
-
By CXGJarrod in forum Microsoft Security Discussions
Replies: 0
Last Post: July 23rd, 2003, 10:00 PM
-
By sambeckett in forum AntiOnline's General Chit Chat
Replies: 1
Last Post: February 13th, 2003, 08:53 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote