This SQL injection would fool the database to be a regular user query and then easily access the system. The attacker spoofs identity. become the database server’s administrator. and exposes, makes unavailable or destroys existing data.
a. SQL manipulation – This involves the modification of the SQL query through the alteration of the WHERE clause (Patel et al., 2011). This modification would cause an amendment of the statement’s WHERE clause so that it constantly returns TRUE.
b. Code injection – New SQL statements, instead of valid input, would be introduced into the input fields. The classic statement or code would then append a SQL Server command, making SQL statement vulnerable. Patel et al. (2011) argues that code injection only works through the support of request of various SQL statements per database or support of keywords like OR and AND by the database.
c. Function call injection involves user defined functions or database functions being added into vulnerable SQL queries. Patel et al. (2011) observe that these function calls could be applied in the making of internal calls or modification of data in the database that could be harmful to users.
Certain characters should be the only ones accepted in the input areas. The length of these fields should be limited (Patel et al., 2011). For example, for usernames and passwords, only numbers and alphabets should be accepted and the field limited to 15 characters.
This involves the alteration of application flow through overwriting of memory parts (Cowan, Wagle & Pu, 2000). This aims at subverting the operation of a privileged program for the attacker to take control of the program so as to control the host.
In this case, the attacker exploits websites so as to inject data into the given application so as to execute XPath queries (Shanmughaneethi, Ravichandran & Swamynathan, 2011).