Most modern databases provide access to the data using a language called Structured Query Language or SQL. A reviewer involved with the review of a database should be familiar with SQL.
Structured Query Language (SQL) is an ANSI standard that permits users to access and manipulate databases. SQL statements can retrieve and update data in a database, as well as modify the structure of a database. The basics of SQL include a Data Manipulation Language (DML) and Data Definition Language (DDL).
DML includes SELECT, UPDATE, DELETE and INSERT INTO statements.
DDL includes CREATE TABLE, ALTER TABLE, DROP TABLE, CREATE INDEX and DROP INDEX statements.
These statements are semantically simple.
- CREATE TABLE creates a database table
- ALTER TABLE alters a database table
- DROP TABLE deletes a database table.
UNION ALL SELECT
This SQL Statement can return data from different tables. An attacker will use this to access information contained within tables that they should not be able to access.
Adding this clause to the end adds additional data to a table of your choice. For example, you might add a record to the table that controls authentication therefore adding another username and password that you now have knowledge of to access the database.
JOIN allows provides the ability to select data from more than one table. Usually data is related to between tables through the use of a primary or unique key. The tables are joined through a WHERE clause condition.
The UNION command adds the ability to extract data from two tables; unlike JOIN, it provides the ability to simply “stack” the two result sets on top of each other. The fields do usually need to be of the same data type.
Key Database terms
It is essential that an reviewer understand the following terms associated with databases:
- Data type
- Primary Key
- Stored Procedures