This course focuses on SQL vulnerabilities which are some of the most common and dangerous vulnerabilities that you will come across when you carry out web pentesting or bug bounty hunting. We'll start by covering the fundamentals of SQL and how a database is created using it. You'll also learn about SQL comments to insert values, get their values back or change them, delete them, or edit them.
Hi, within this lecture we're going to see how we can insert data or put some data in the table that we have created over here. Even though we can do some select everything from test right now, it won't show us anything because we don't have anything in it, right? In order to do that, we need to understand how we can add data. Now I'm going to cut this. I'm going to take some notes because we will change the comments from time to time. So, I'm then going to just copy all of these things. I'll share it with you at the end of this section, so that you can take some notes. So, I'm going to say insert or let me just do everything FROM test and you will see we won't get any result back in here. But if I do SELECT everything FROM demo, and it will show us the demo things over here, right? We haven't put that in, because it was already created for us. But right now, we have created our own table and we have to learn how to put data in it. So, that's how you put data in it. INSERT INTO test. So, INSERT INTO and the table name. So, what are we inserting into the test? Of course, we're going to specify the data that we want to insert into. So, in order to do that, you have to open a parentheses and write the column names that you may want to put. For example, I'm just not going to use id column, but only name and age. Why? Because, as I said before, id will be automatically generated for us. So, all you have to do is just write (name, age) like that, but inside of a parentheses. So I can do that as well. I can give some id value as well, but I don't want it because it's going to be automatically generated; which is much more secure for me. And then, you have to specify the values of that columns. For example, you can just say VALUES and open a parentheses and write the respective values. So, I'm writing this inside of one quotation mark, single quotation marks. So, name will be 'Atil', and age will be 50, and beware that I haven't put any quotation marks around the 50 because it's an integer, and this is VARCHAR. This is a text, that's why I have included the single quotation marks and don't forget to add this; otherwise it won't work. But in the 50 in the integer, I didn't include them because it's a number. So, they are different data types. Integers and strings or VARCHARs, are completely different data types. So, they have different syntax. So that's why we have quotation marks in the name but not in the age. So, if I run this, it will be inserted into but, of course, it won't be shown to us because we haven't done any query, right? So, I'm going to cut this. I'm not going to run this more than once, because if I run it one more time, it will be again, just run for me and it will be added twice. So, rather than that, I'm just going to try and see if we already have this in test table. Select everything FROM test and now if I say 'Run' Here we go, now we see the value. So, id is 1, name is Atil, and age is 50. Now of course, the next thing that I would want to test is to add another value add another record in this table and see if id thing is working in a way that it's supposed to work. So, I'm going to say INSERT INTO test and name and age, and the VALUES will be again, this time something like maybe ('James', 60). So here you go. Now I want to run this and it will be added here, but before I run this, I will just SELECT everything FROM test so that it will be shown to us. This will be executed, and then this line will be executed in order, so it will be edit and then it will be shown to us, along with the previous record that we have. Here you go. Now we see the James and we see the 60, but more importantly, we see the id is two, even though we haven't specified any id over here. Since we have specified it's a primary integer key, it's working in a good way. It's working in a way that we wanted to be worked. So, as you can see now, we can create our own tables. We can add some new values to it and we can gather information from the sequel as well from the database as well. Now, of course, we may want to put some spice into it. We may want to do different kind of things to learn about filtering, to learn about advanced queries, and some other stuff as well. So, it's not the end for the sequel section. We're going to have to learn some more. That's what we're going to do within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.