# What you'll learn

After watching this video, you will be able to: 
* Describe structured query language (or SQL) pronounced "sequel" injections.
* Identify four types of SQL injections.
* Explain which SQL clauses and operators attackers use in an attack.

# What is an SQL Injection?

An SQL  injection is an attack that passes a string input to exploit a database.
* For instance, a SQL injection can occur when you request user input in a field on a web page.
* In a SQL injection, the attacker modifies a SQL statement using set operations.
* Or, they alter the **`WHERE`** clause to return alternate results.

Four pervasive types of SQL injection attacks are: 
* SQL manipulation, 
* Code injection, 
* Function call injection, and 
* Buffer overflows.

# SQL manipulation

SQL manipulation is one of the most common types of SQL injection.
* A SQL manipulation is an attack that modifies a SQL statement of set operations.
* Two common forms of SQL manipulation attacks use a **`WHERE`** clause or a **`UNION`** statement.
* Often, a SQL manipulation attack modifies a **`WHERE`** clause of user authentication to always result in **`TRUE`**.

**For example:**

![image.png](attachment:d941fb17-6bbd-4da2-ad10-551716015bb7.png)

* This example always results in **`TRUE`** because **`a = a`**, which was added by the attacker.
* Or an attacker can change a **`UNION SELECT`** statement to grab data from different tables.

**Next example uses a Python programming language and string concatenation.**

![image.png](attachment:e1af8215-38fd-4778-84a2-e58f8771f4bb.png)

Take note of what's going on in this code snippet.

You are concatenating here with  all these string values and the variables that came in from the request.

**Valid Input**

![image.png](attachment:0473cc4d-171a-4367-b787-aa021f067cd5.png)

* In the happy path, the user enters their name as **John Doe** and their password as **myPass**.
* The resulting query string is **`SELECT * FROM Users WHERE Name ="John Doe" AND Password ="myPass"`**.
* Pretty much what we expected.
* The SQL will return Users where Name is **John Doe** and Password is **myPass**.

**Attack Input**

![image.png](attachment:4a5ce1ff-6479-4927-b67e-5cd5312cdb4e.png)

* But in a SQL injection attack, say the attacker enters username of **`" OR 1=1`** and they enter in a password **`" OR 1=1`**.
* Now, the resulting query string is **`SELECT * FROM Users WHERE Name ="" OR 1=1 AND Password ="" OR 1=1`**.
* The problem here is that it doesn't matter that the name is blank and the password is blank because of the fact that **`OR 1=1`** will always be **true**.
* This SQL statement will always return all of the users in your table because **`1=1`** will always evaluate to **`True`**! 
* So, you can see how dangerous it is to concatenate strings together to form a SQL statement.

# Summary

In this video, you learned that: 
* SQL injection is an attack that passes a string input to exploit a database.
* SQL attacks can occur when user input is requested on a web page.
* In an SQL manipulation attack, the attacker modifies an SQL statement using set operators or by altering **`WHERE`** clauses or **`UNION`** operators.
* There are four types of SQL injection attacks:
    * SQL manipulation, 
    * Code injection, 
    * Function call injection, and 
    * Buffer overflow.
* SQL manipulation is the most common type of injection attack.