1
00:00:00,410 --> 00:00:06,680
‫To understand Eskew, well, injection, we should know basic terms of the database systems first.

2
00:00:07,250 --> 00:00:10,340
‫A database is an organized collection of data.

3
00:00:10,730 --> 00:00:16,340
‫It is a collection of schemas, tables, queries, reports, views and other objects.

4
00:00:16,820 --> 00:00:23,390
‫A database management system, DB MS is a computer software application that interacts with end users,

5
00:00:23,390 --> 00:00:27,740
‫other applications and the database itself to capture and analyze data.

6
00:00:28,430 --> 00:00:37,850
‫A general purpose BMS allows the definition, creation, querying, update and administration of databases.

7
00:00:38,120 --> 00:00:45,590
‫Well-known database management systems include Oracle may ask, you will ask you all server, PostgreSQL,

8
00:00:45,890 --> 00:00:53,690
‫etc. Structured query language SQL is a language used in programming and designed for managing data

9
00:00:53,690 --> 00:00:56,440
‫held in a relational database management system.

10
00:00:56,450 --> 00:01:05,180
‫R.D. Beams SQL became a standard of the ANC American National Standards Institute in 1986.

11
00:01:05,980 --> 00:01:11,560
‫And of the ISO International Organization for Standardization in 1987.

12
00:01:12,070 --> 00:01:16,900
‫Since then, the standard has been revised to include a larger set of features.

13
00:01:17,350 --> 00:01:23,860
‫Despite the existence of such standards, though, most sequel code is not completely portable among

14
00:01:23,860 --> 00:01:26,890
‫different database systems without adjustments.

15
00:01:27,860 --> 00:01:34,610
‫Here there is a select query example, the school select statement returned a result set of records

16
00:01:35,450 --> 00:01:36,920
‫from one or more tables.

17
00:01:38,110 --> 00:01:45,820
‫A select statement retrieves zero or more rose from one or more database tables or database views,

18
00:01:46,180 --> 00:01:52,090
‫select is the most commonly used data query language or dick you will command.

19
00:01:52,780 --> 00:01:56,860
‫In the example shown on the slide, we have a table named client.

20
00:01:57,490 --> 00:02:03,550
‫Client Table has four fields name, surname, age and gender.

21
00:02:04,330 --> 00:02:06,460
‫There are four records in the client table.

22
00:02:07,330 --> 00:02:08,530
‫In the select sentence.

23
00:02:09,420 --> 00:02:14,160
‫We want name and the surname fields of the client table records.

24
00:02:15,550 --> 00:02:21,070
‫Where the value of the age field of the records is greater than 30.

25
00:02:21,910 --> 00:02:28,510
‫So the result of this select sentence will be the name and surname values of these two records.

26
00:02:30,420 --> 00:02:36,690
‫There are a lot of code injection vulnerabilities as a result of the input and output manipulation,

27
00:02:37,230 --> 00:02:44,280
‫such as operating system, code injection, XML injection, HTML script injection, object injection

28
00:02:44,580 --> 00:02:52,290
‫now the most famous code injection is sequel injection as you well, injection is used to attack data

29
00:02:52,290 --> 00:03:00,300
‫driven applications in which nefarious squirrel statements are inserted into an entry field for execution.

30
00:03:00,840 --> 00:03:08,160
‫For example, to dump the database contents to the attacker as well, injection must exploit a security

31
00:03:08,160 --> 00:03:10,590
‫vulnerability in an application software.

32
00:03:10,950 --> 00:03:18,450
‫For example, when a user input is either incorrectly filtered for string literal escape characters

33
00:03:18,450 --> 00:03:27,540
‫embedded in SQL statements or user input is not strongly typed and unexpectedly executed in the fuel

34
00:03:27,540 --> 00:03:28,590
‫injection scenario.

35
00:03:28,980 --> 00:03:33,600
‫The parameter, which is used to produce unexpected results, is sent to the server.

36
00:03:33,610 --> 00:03:36,390
‫The parameter is not sanitized adequately.

37
00:03:36,390 --> 00:03:42,540
‫On the server side, the server prepares the sequel string, which will cause the unexpected result

38
00:03:42,900 --> 00:03:48,690
‫and sends it to the database management server, and the result is returned to the web server.

39
00:03:49,380 --> 00:03:54,660
‫The web server processes the query result, prepares a response and sends it to the user.

40
00:03:55,230 --> 00:03:59,400
‫Eskew L Injection attacks allow attackers to spoof identity.

41
00:03:59,760 --> 00:04:06,030
‫Tamper with existing data such as voiding transactions or changing balances.

42
00:04:06,420 --> 00:04:14,670
‫Allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable.

43
00:04:15,510 --> 00:04:19,620
‫And become administrators of the database server.