SQL injection is a code injection method, used to attack data-driven applications. This vulnerability allows a hacker to submit crafted input to interfere with the application’s interaction with back-end databases. A hacker may be able to obtain arbitrary data from the application, interfere with its logic, or execute commands on the database server itself.
The following are the three types of SQL injection attacks:
Union-Based SQL Injection
It is the most popular type of SQL injection. This type of attack uses the UNION statement, which is the integration of two select statements, to obtain data from the database.
Error-Based SQL Injection
An error-based SQL injection is the simplest type; but, the only difficulty with this method is that it runs only with MS-SQL Server. In this attack, we cause an application to show an error to extract the database. Normally, you ask a question to the database, and it responds with an error including the data you asked for.
Blind SQL Injection
The blind SQL injection is the hardest type. In this attack, no error messages are received from the database; hence, we extract the data by asking questions to the database. The blind SQL injection is further divided into two kinds:
1. Boolean-based SQL injection
2. Time-based SQL injection
The above techniques can be used to obtain the data in the database by either asking a question or inducing a time delay.