Adam's SQL Notes for crazy people:Four Basic SQL Operations, or CRUD

1. Adam's SQL Notes for crazy people:
2.  
3.  
4.  
5. Four Basic SQL Operations, or CRUD
6.  
7. Creating Data – Filling data into tables.
8. Reading Data – Query data out of a table.
9. Updating Data – Change data already in a table.
10. Deleting Data – Remove data from the table.
11.  
12. "CRUD” is considered the fundamental set of four basic functions or features that every database must have.
13.  
14. These are the basic features that use these important SQL commands: `CREATE`, `INSERT`, `SELECT`, `UPDATE`, `DELETE`, and `DROP`.
15.  
16.  
17. SQL Data Types
18.  
19. Here’s a list of all the formal data types that ISO/IEC standard SQL recognizes. In addition to these, you may define additional data types that are derived from these.
20.  
21. Exact Numerics:
22.  
23. INTEGER
24. SMALLINT
25. BIGINT
26. NUMERIC
27. DECIMAL
28.  
29. Approximate Numerics:
30.  
31. REAL
32. DOUBLE PRECISION
33. FLOAT
34.  
35. Binary Strings:
36.  
37. BINARY
38. BINARY VARYING
39. BINARY LARGE OBJECT
40.  
41. Boolean:
42.  
43. BOOLEAN
44.  
45. Character Strings:
46.  
47. CHARACTER
48. CHARACTER VARYING (VARCHAR)
49. CHARACTER LARGE OBJECT
50. NATIONAL CHARACTER
51. NATIONAL CHARACTER VARYING
52. NATIONAL CHARACTER LARGE OBJECT
53.  
54. Datetimes:
55.  
56. DATE
57. TIME WITHOUT TIMEZONE
58. TIMESTAMP WITHOUT TIMEZONE
59. TIME WITH TIMEZONE
60. TIMESTAMP WITH TIMEZONE
61.  
62. Intervals:
63.  
64. INTERVAL DAY
65. INTERVAL YEAR
66.  
67. Collection Types:
68.  
69. ARRAY
70. MULTISET
71.  
72. Other Types:
73.  
74. ROW
75. XML
76.  
77.  
78.  
79.  
80.  
81. SQL Value Functions
82.  
83. These SQL value functions perform operations on data. There are all kinds of operations that could conceivably be performed on data items, but these are some that are needed most often.
84.  
85. String Value Functions
86.  
87. Function Effect
88. -------------------------------
89. SUBSTRING Extracts a substring from a source string
90.  
91. SUBSTRING SIMILAR Extracts a substring from a source string, using POSIX-based
92. regular expressions
93.  
94. SUBSTRING_REGEX Extracts from a string the first occurrence of an XQuery
95. regular expression pattern and returns one occurrence of the
96. matching substring
97.  
98. TRANSLATE_REGEX Extracts from a string the first or every occurrence of an
99. XQuery regular expression pattern and replaces it or them with an
100. XQuery replacement string
101.  
102. UPPER Converts a character string to all uppercase
103.  
104. LOWER Converts a character string to all lowercase
105.  
106. TRIM Trims off leading or trailing blanks
107.  
108. TRANSLATE Transforms a source string from one character set to
109. another
110.  
111. CONVERT Transforms a source string from one character set to
112. another
113.  
114.  
115. Numeric Value Functions
116.  
117. Function Effect
118. -------------------------------
119. POSITION Returns the starting position of a target string within a
120. source string
121. CHARACTER_LENGTH Returns the number of characters in a string
122.  
123. OCTET_LENGTH Returns the number of octets (bytes) in a character string
124.  
125. EXTRACT Extracts a single field from a datetime or interval
126.  
127.  
128. Datetime Value Functions
129.  
130. Function Effect
131. -------------------------------
132. CURRENT_DATE Returns the current date
133.  
134. CURRENT_TIME(p) Returns the current time; (p) is precision of seconds
135.  
136. CURRENT_TIMESTAMP(p) Returns the current date and the current time; (p) is precision
137. of seconds
138.  
139.  
140.  
141. SQL Set Functions
142. -------------------------------
143. The SQL set functions give you a quick answer to questions you may have about the characteristics of your data as a whole. How many rows does a table have? What is the highest value in the table? What is the lowest? These are the kinds of questions that the SQL set functions can answer for you.
144.  
145. COUNT Returns the number of rows in the specified table
146.  
147. MAX Returns the maximum value that occurs in the specified
148. table
149.  
150. MIN Returns the minimum value that occurs in the specified
151. table
152. SUM Adds up the values in a specified column
153.  
154. AVG Returns the average of all the values in the specified
155. column
156.  
157.  
158. SQL WHERE Clause Predicates
159. ------------------------------
160. Predicates boil down to either a TRUE or a FALSE result. You can filter out unwanted rows from the result of an SQL query by applying a WHERE clause whose predicate excludes the unwanted rows.
161.  
162. Comparison Predicates
163.  
164. = Equal
165. <> Not equal
166. < Less than
167. <= Less than or equal
168. > Greater than
169. >= Greater than or equal
170.  
171. Other Predicates
172.  
173. ALL BETWEEN
174. DISTINCT EXISTS
175. IN LIKE
176. MATCH NOT IN
177. NOT LIKE NULL
178. OVERLAPS SIMILAR
179. SOME, ANY UNIQUE
180.  
181.  
182.  
183.  
184. Introduction
185.  
186. Nowadays, web applications are common around the world. Nearly every major company or organization has a web presence. Maximum of these companies and organizations use web applications to provide various services to users. Some of these web applications employ database driven content. The back-end database often contains confidential and sensitive information such security numbers, credit card number, financial data, medical data. Typically the web user supplies information, such as a username and password and web applications receive user request and interact with the back-end database and returned relevant data to the user.
187. What is SQL injection?
188.  
189. SQL injection is a technique (like other web attack mechanisms) to attack data driven applications. This attack can bypass a firewall and can affect a fully patched system. The attacker takes the advantage of poorly filtered or not correctly escaped characters embedded in SQL statements into parsing variable data from user input. The attacker injects arbitrary data, most often a database query, into a string that’s eventually executed by the database through a web application (e.g. a login form).
190.  
191.  
192. Through SQL Injection attacker can obtain unauthorized access to a database and can create, read, update, alter, or delete data stored in the back-end database. Currently, almost all SQL databases such as Oracle, MySQL, PostgreSQL, MSSQL Server, MS Access are potentially vulnerable to SQL injection attacks. In its most common form, a SQL injection attack gives access to sensitive information such as social security numbers, credit card number or other financial data.
193.  
194.  
195.  
196.  
197.  
198. Why SQL injection?
199.  
200. - Identify injectable parameters.
201. - Identify the database type and version.
202. - Discover database schema.
203. - Extracting data.
204. - Insert, modify or delete data.
205. - Denial of service to authorized users by locking or deleting tables.
206. - Bypassing authentication.
207. - Privilege escalation.
208. - Execute remote commands by calling stored functions within the DBMS which are reserved for administrators.
209.  
210.  
211.  
212.  
213.  
214. SQL injection method
215.  
216. Here are some methods through which SQL statements are injected into vulnerable systems
217. - Injected through user input.
218. - Injection through cookie fields contains attack strings.
219. - Injection through Server Variables.
220. - Second-Order Injection where hidden statements to be executed at another time by another function.
221.  
222.  
223.  
224.  
225.  
226.  
227. Vulnerabilities
228.  
229. In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Web-based forms allow some access to the back-end database to allow entry of data and a response, this kind of attack bypasses firewalls and endpoint defenses. Any web form, even a simple logon form or search box (where a user can input data), might provide access to back-end database by means of SQL injection.
230. vulnerabilities SQL injection
231.  
232. The common reason that an application is vulnerable to SQL injection is improper filtering and lack of validation for user input. Input forms are quite common to collect data from a user. So, practically it is not feasible to close all the entry points to bar SQL injection. To prevent attacks developers must apply proper filtration/validation on all forms.
233. Vulnerable Applications
234.  
235. – Almost all SQL databases are potentially vulnerable such as MS SQL Server, DB2, Oracle, PostgreSQL, MySQL, MS Access, Sybase, Informix, etc
236.  
237. – Accessed through applications using :
238. ASP, JSP, PHP
239. Perl and CGI scripts that access databases
240. XML, XSL and XSQL
241. JavaScript
242. Database specific web applications
243. Many other
244.  
245.  
246.  
247.  
248.  
249. Types of SQL injection
250.  
251. -- Tautology-based SQL Injection
252.  
253. -- Piggy-backed Queries / Statement Injection
254.  
255. -- Union Query
256.  
257. -- Illegal/Logically Incorrect Queries
258.  
259. -- Inference
260.  
261. -- Stored Procedure Injection
262.  
263.  
264.  
265.  
266.  
267.  
268. Tautologies
269.  
270. Purpose :
271.  
272. Identify injectable parameters
273. Bypass authentication
274. Extract data
275.  
276. In logic, a tautology (from the Greek word ταυτολογία) is a formula which is true in every possible interpretation. In a tautology-based attack, the code is injected using the conditional OR operator such that the query always evaluates to TRUE. Tautology-based SQL injection attacks are usually bypass user authentication and extract data by inserting a tautology in the WHERE clause of a SQL query. The query transform the original condition into a tautology, causes all the rows in the database table are open to an unauthorized user. A typical SQL tautology has the form "or <comparison expression>", where the comparison expression uses one or more relational operators to compare operands and generate an always true condition. If an unauthorized user input user id as abcd and password as anything' or 'x'='x then the resulting query will be:
277.  
278. select * from user_details where userid = 'abcd' and password = 'anything' or 'x'='x'
279.  
280.  
281.  
282.  
283. Piggy-backed Queries / Statement Injection
284.  
285. Purpose :
286.  
287. Extract data
288. Modify dataset
289. Execute remote commands
290. Denial of service
291.  
292. This type of attack is different than others because the hacker injects additional queries to the original query, as a result the database receives multiple SQL queries. The first query is valid and executed normally, the subsequent queries are the injected queries, which are executed in addition to the first. Due to misconfiguration, a system is vulnerable to piggy-backed queries and allows multiple statements in one query. Let an attacker inputs abcd as usrerid and '; drop table xyz -- as password in the login form :
293. Piggy-backed Queries
294.  
295. Then the application will generate the following query :
296.  
297. select * from user_details where userid = 'abcd' and password = ''; drop table xyz -- '
298.  
299. After completing the first query ( returned an empty result set (i.e. zero rows)), the database would recognize the query delimiter(";") and execute the injected second query. The result of executing the second query would be to drop table xyz, which would destroy valuable information.
300.  
301.  
302.  
303.  
304.  
305.  
306. Union Query
307.  
308. Purpose:
309.  
310. Bypassing authentication
311. Extract data
312.  
313. This type of attack can be done by inserting a UNION query into a vulnerable parameter which returns a dataset that is the union of the result of the original first query and the results of the injected query.
314.  
315. The SQL UNION operator combines the results of two or more queries and makes a result set which includes fetched rows from the participating queries in the UNION.
316.  
317. Basic rules for combining two or more queries using UNION:
318.  
319. 1) A number of columns and order of columns of all queries must be same.
320.  
321. 2) The data types of the columns on involving table in each query should be same or compatible.
322.  
323. 3) Usually returned column names are taken from the first query.
324.  
325. By default the UNION behaves like UNION [DISTINCT] , i.e. eliminated the duplicate rows; however, using ALL keyword with UNION returns all rows, including duplicates.
326. The attacker who tries to use this method must have solid knowledge of DB schema.
327.  
328. The two dashes (--) comments out the rest of the query i.e. ' and password = 'abcd'. Therefore, the query becomes the union of two SELECT queries. The first SELECT query returns a null set because there is no matching record in the table user_details. The second query returns all the data from the table emp_details. Let try it with our login form.
329. union login
330.  
331.  
332.  
333.  
334.  
335.  
336. Illegal/Logically Incorrect Queries
337.  
338. Purpose :
339.  
340. Identify injectable parameters
341. Identify database
342. Extract data
343.  
344. In this type of injection an attacker is trying gather information about the type and structure of the back-end database of a Web application. The attack is considered as a preliminary step for further attacks. If an incorrect query is sent to a database, some application servers return the default error message and the attacker takes the advantage of this weakness. They inject code in vulnerable or injectable parameters which creates syntax, type conversion, or logical error. Through type error, one can identify the data types of certain columns. Logical error often exposes the names of tables and columns.
345.  
346.  
347.  
348.  
349.  
350.  
351. Inference
352.  
353. Purpose :
354.  
355. Identify injectable parameters
356. Identify schema
357. Extract data
358.  
359. In this type of injection, the attack is applied on well-secured databases which do not return any usable feedback or descriptive error messages. The attack is normally created in the style of the true false statement. After finding the vulnerable parameter, the attacker injects various conditions (that he wants to know whether they are true or false) through query and carefully observe the situation. If statement evaluates to true, the page continues to function normally. If false, the page behaves significantly different from the normally functioning. This type of injection is called Blind Injection. There is another type of inference attack which is called Time Attack. In this method, an attacker designs a conditional statement and inject through the vulnerable parameter and gather information based on time delays in the response of the database. See the following code:
360.  
361. http://www.example.com/product.php?product_id=100 AND IF(version() like ‘5%’, sleep(15), ‘false’))--
362.  
363. Here an attacker checks whether the system is using a MySQL version is 5.x or not, making the server delay the answer in 15 seconds (the attacker can increase the delay's time).
364.  
365.  
366.  
367.  
368.  
369. Stored Procedures
370.  
371. Purpose :
372.  
373. Privilege escalation
374. Denial of service
375. Execute remote commands
376.  
377. A stored procedure is a subroutine available to applications that access a relational database system. A stored procedure is actually stored in the database data dictionary. Typical use for stored procedures includes data validation or access control mechanisms. Furthermore, stored procedures can consolidate and centralize logic that was originally implemented in applications. Extensive or complex processing that requires execution of several SQL statements is moved into stored procedures, and all applications call the procedures. One can use nested stored procedures by executing one stored procedure from within another.
378. Stored procedures type of SQL injection tries to execute stored procedures present in the database. Most of the database have a standard set of procedures (apart from user defined procedures) that extend the functionality of the database and allow for interaction with the operating system. The attacker initially tries to find the database type with another injection method like illegal/logically incorrect queries. Once an attacker determines which databases is used in backend then he try to execute various procedures through injected code. As the stored procedure are written by developers, therefore these procedures do not make the database vulnerable to SQL injection attacks. Stored procedures can be vulnerable to execute remote commands, privilege escalation, buffer overflows, and even provide administrative access to the operating system.
379. If an attacker injects ';SHUTDOWN; -- into either the User ID or Password fields then it will generate the following SQL code :
380.  
381. select * from user_details where userid = 'abcd' and password = ''; SHUTDOWN; -- '
382.  
383. The above command causes a database to shut down.
384.  
385.  
386.  
387. Alternate Encodings
388.  
389. Purpose:
390.  
391. Evade Detection
392.  
393. In this case, the attacker injected encoded text to bypass defensive coding practices. Attackers have arranged alternate methods of encoding through their injected strings such as using hexadecimal, ASCII,
394. and Unicode character encoding. Scanning and detection techniques are not fully effective against alternate encodings. See the following example :
395.  
396. SELECT * FROM users WHERE login= '' AND pass=' ';exec(char(Ox73687574646j776e)) '
397.  
398. In the above code the char() function and ASCII hexadecimal encoding have used. The char() function returns the actual character(s) of hexadecimal encoding of character(s). This encoded string is translated into the shutdown command by the database when it is executed.
399.  
400. -----------------------------------------------------------------------------------
401.  
402.  
403.  
404.  
405.  
406. Defending against SQL Injection
407.  
408.  
409. Researchers and security managers have proposed various defensive methods to fight against SQL injection attack. The root cause of almost every SQL injection is invalid input checking. Here is a list of prevention methods :
410.  
411. Input Validation
412. Input Checking Functions
413. Validate Input Sources
414. Access Rights
415. Configure database error reporting
416.  
417.  
418.  
419.  
420. Input Validation
421.  
422. – Simple input check can prevent many attacks.
423. – Always validate user input by checking type, size, length, format, and range.
424. – Test the content of string variables and accept only expected values.
425. – Reject entries that contain binary data, escape sequences etc. This can help prevent script injection and can protect against some buffer overrun exploits.
426. – When you are working with XML documents, validate all data against its schema as it is entered.
427.  
428.  
429.  
430. Input Checking Functions
431.  
432. – Certain characters and character sequences such as ; , --, select, insert and xp_ can be used to perform an SQL injection attack.
433. – Remove these characters and character sequences from user input which reduces the chance of an injection attack.
434. – Scan query string for undesirable word like "insert", "update", "delete", "drop" etc. check whether it represent a statement or valid user input.
435. – Write a function which can handle all of this.
436.  
437.  
438. List of the characters which are used to perform an SQL injection attack :
439. Input character Meaning in SQL
440. ------------------------------------
441. ; Query delimiter.
442.  
443. ' Character data string delimiter.
444.  
445. -- Comment delimiter.
446.  
447. /* ... */ Comment delimiters. The text between /* and */ is not evaluated by the server.
448.  
449. xp_ Used at the start of the name of catalog-extended stored procedures, such as xp_cmdshell.
450.  
451.  
452.  
453.  
454. Validate Input Sources
455.  
456. – There are so many ways to attack a database, therefore the developer should check and authenticate all input sources and disallow unidentified or untrusted users/websites.
457. Access Rights/User Permissions
458.  
459. – Create "low privileged" accounts for use by applications.
460. – Never grant instance­level privileges to database accounts.
461. – Never grant database­owner or schema­owner privileges to database accounts.
462. – Be aware of the permission scheme of your database.
463. Configure database error reporting
464.  
465. – Some application server's default error reporting often gives away information that is valuable for attackers (table name, field name, etc.).
466. – The developer should configure the system correctly, therefore this information will never expose to an unauthorized user.
467.  
468. Apart from the above, there are several methods which can prevent from SQL injection.
469.  
470. Reference : http://en.wikipedia.org/wiki/SQL_injection
471.  
472.  
473.  
474.  
475.  
476.  
477. =============================================================================
478. SCRAPHEAP: DO NOT INCLUDE IN SLIDES/NOTES YET
479.  
480.  
481. Union-Based SQL Injection
482. It is the most popular type of SQL injection. This type of attack uses the UNION statement, which is the integration of two select statements, to obtain data from the database.
483.  
484. Error-Based SQL Injection
485. An error-based SQL injection is the simplest type; but, the only difficulty with this method is that it runs only with MS-SQL Server. In this attack, we cause an application to show an error to extract the database. Normally, you ask a question to the database, and it responds with an error including the data you asked for.
486.  
487. Blind SQL Injection
488. The blind SQL injection is the hardest type. In this attack, no error messages are received from the database; hence, we extract the data by asking questions to the database. The blind SQL injection is further divided into two kinds:
489. 1. Boolean-based SQL injection
490. 2. Time-based SQL injection
491. The above techniques can be used to obtain the data in the database by either asking a question or inducing a time delay.
492.  
493.  
494. SQL Injection types
495. Error based Injection:
496.  
497. The attacker sends some malicious query to the database which results in errors. The errors should be very generic, otherwise, they may give useful hints to the attacker.
498.  
499. Comment-Line: Using comment line to cause the database to ignore a part of a valid query.
500.  
501. E.g. Select * from stores where product_id = blah’ or 1=1-- (everything after this will be neglected)
502.  
503. Tautology: There are a lot of strings which always evaluates to be true, like ‘1’ = ‘1’ ‘a’ = ‘a’, etc., using them in the query to create constantly true conditions.
504.  
505. E.g. Select * from users where username=’blah’ or ‘a’=’a’ -- and password=’pass’
506. Union Based SQL injection:
507.  
508. Using union command in SQL query to execute additional queries; thereby, modifying/inserting/deleting or dropping the contents of the table.
509.  
510. E.g. Select * from stores where product_id=1 union select 1,database(),user(),4#
511.  
512. Stored procedures: Creating malicious inputs to execute malicious queries.
513.  
514. Incorrect queries: Coming up with logically incorrect queries to see the error messages to get more information about the target database.
515.  
516. Select * from stores where id=1’
517.  
518. The above query will result in a syntax error and might reveal the backend database type.
519. Blind SQL injection:
520.  
521. This is a type of SQL injection where we don’t have a clue as to whether the web application is vulnerable to injection attack or not.
522. Types:
523.  
524. Boolean: Only correct queries show the result, wrong queries do not return anything. Attackers should try to generate logically correct queries.
525.  
526. boolean type
527.  
528. If suppose the original query to the database is
529.  
530. Select * from users where id=’id.txt’
531.  
532. If we give blah’ and 1=1# as input which evaluates to be a right query
533.  
534. Select * from users where id=’blah’ or 1=1#, we will see the user results.
535.  
536. If we give blah’ and 1=2# as input which is a wrong query then we don’t see any results.
537.  
538. Select * from users where id=’blah’ or 1=2#
539.  
540. Time delay: Depending on some conditions, setting a time delay. If that condition is satisfied, we can observe the time delay; thereby, concluding that the input we gave produced a positive result. This is a time consuming process.