Crash Course in SQL
The course is part of this learning path
This course focuses on SQL vulnerabilities which are some of the most common and dangerous vulnerabilities that you will come across when you carry out web pentesting or bug bounty hunting. We'll start by covering the fundamentals of SQL and how a database is created using it. You'll also learn about SQL comments to insert values, get their values back or change them, delete them, or edit them.
Hi, within this section we're going to cover SQL Injections or SQL injections however you may want to pronounce it. And in order to do that, we first have to know about SQL. We first have to know the basics or fundamentals about comments or codes for the SQL. Okay, so in this section, we're going to cover the SQL fundamentals, then we're going to go into the injection site. So, first of all, what is SQL? Okay, so we're going to see that and then we will work our way up from there. So, I'm going to search for SQL, and as you can see it's the Structured Query Language, okay? So, it's pronounced "ess-que-el" but most of the time we see programmers pronounce this as SQL. So, choose your way, whatever you may want to pronounce, this is fine. So, SQL is used to communicate with the database in the server most of the time. So, we do some queries. It means that we read some data from the database or we may want to insert some new records or new entries to the database as well. So, we use SQL for that purpose. And for sometimes databases are not properly configured or some security measures are not in place where it's supposed to be. So, we can read some values or we can even write some things to database. And this is called SQL Injection and this is one of the most common things that we come across when we do web penetration tests, but in order to understand and use this we need to learn about the fundamentals of this programming language. So, that's what we're going to do. We're going to visualize this, we're going to understand this in depth so that we won't experience any difficulties when it comes to finding vulnerabilities. And this is commonly used in web development, mobile application development and in every kind of thing that you may think when it comes to communicating with databases. So, it would be very good for you to learn about this programming language actually. And I believe this is one of the biggest pieces that is missing in web penetration courses. So, I just wanted to include this as well, so that you would understand this in a comprehensive way. And in order to do that, we can use any platform actually, but we're going to use something called SQLite or SQLite. So, it's a lite version of SQL. And it actually operates in the same way, exactly same way actually, like a regular SQL server, regular SQL database, so that we can get to see what comments does what, and how to work with databases. And in order to do that, we're going to use an online platform. And we could have used Android Studio, we could have used any kind of, I don't know, web service in order to learn about this, but it would take so much time to just to configure this and we don't need that, rather than that, we can just try it like that. So, you can just search something like SQLite or SQLite. Again, this is a version of SQL, okay? But since it's a lite version, it can be run without effort on online platforms. So, it will give us opportunity to test the comments that we are going to be seeing. And if you search for this SQLite online, you will just see millions of results. And I believe this is the best ones, sqliteonline.com. So, I've been using this for a couple of years and they are still there. So, it's stable as well. So, as you can see, you can just open it, but if it doesn't open for you, for some reason, you can of course go to other websites or other platforms to use the SQLite or SQL codes as well. But I'm going to be demonstrating this on sqliteonline.com. Again, this is not mandatory. You can just use whatever system that you may want. So, when we open it, we see some pre-created records and pre-created tables for us. We're going to see what are those and how we can use them to learn about these comments. That's what we're going to do within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.