Chapter 7 - SQL

Abstract

Structured Query Language (SQL) is one of the most common languages today for directly interacting with databases and comparable systems. Most Web applications providing interactive content use databases and are usually fueled by database management systems (DBMSs) such as MySQL, PostgreSQL, or Oracle, all of which are capable of understanding queries in SQL. The usual usage pattern is easy to describe. In most cases, the Web application receives user input requesting a certain amount of data specified by certain filters and constraints. SQL injection, and especially SQL obfuscation, is not always just a way to attack the database and Web server. Another, often-underestimated aspect of SQL obfuscation in connection with even un-exploitable SQL injection vulnerabilities is the fact that the encodings understood by the various DBMSs are not part of the feature set of common client-side cross-site scripting defense mechanisms such as NoScript and the IE8 cross-site scripting filter. Most Web application frameworks deliver decent protection against SQL injection attacks. Nevertheless, this range of attack techniques will not dramatically lose relevance, since many developers still write their SQL queries themselves, use concatenation, and thereby are likely to destroy any protective mechanisms provided by the frameworks and other mechanisms. The rise of client-side databases will be a breath of fresh air for SQL injection techniques and thereby obfuscation as well.