0

I was watching the DEFCON 17: Advanced SQL Injection video here.

At 15:00, when discussing the various classes and types of SQL injection attackS, the speaker stated

With MySQL you really only have Union-based and Blind

Provided the above statement is true, could somebody please explain why it appears MySQL is somewhat more secure against error-based SQL injection?

schroeder
  • 123,438
  • 55
  • 284
  • 319
questioner
  • 171
  • 2
  • 11
  • You really need to test your assumptions before formulating questions. https://www.google.com/search?q=mysql+error+based+sql+injection – schroeder Jun 09 '22 at 09:24
  • It could be that the speaker saw a correlation between MS-SQL and ASP sites, and between MySQL and PHP sites. Different web frameworks and database connector libraries have different default error behaviour. I've definitely seen PHP sites that echo their database errors to the user though. – amon Jun 09 '22 at 17:07
  • Support for **stacked queries** perhaps? – Kate Jun 10 '22 at 19:43

1 Answers1

2

why it appears MySQL is ...

Appears to whom? Appears to you? Only you know that.

In security there is no "appears". Either particular attack is possible or not.

Nothing in this whole video shows any weakness of any database. SQL injection is a problem of the application code, not the problem of particular database.

To error-based SQL injection: If the application catches all database errors, then the attacker will not see any details and thus this attack will not be possible. The speaker showed some examples of what data can be retrieved via error messages. I suppose that he didn't see anything more to add to it. Where as for two other types there were more scenarios possible and the speaker provided more details about them.

Once again: databases are NOT vulnerable to SQL injection, but applications.

schroeder
  • 123,438
  • 55
  • 284
  • 319
mentallurg
  • 8,536
  • 4
  • 26
  • 41
  • So why did he say that MySQL is limited to union or blind? – questioner Jun 08 '22 at 22:59
  • 2
    @questioner: As I said: "I *suppose* that he didn't see anything more to add to it. Where as for two other types there were more scenarios possible". It was *his* decision to speak about some topics more, about others less. We can only *suppose* why he decided in this way. – mentallurg Jun 08 '22 at 23:40
  • Okay, so MySQL can still have error based injection? – questioner Jun 08 '22 at 23:55
  • 2
    @questioner: No. **Databases are not vulnerable to SQL injection.** Also MySQL is not vulnerable. Vulnerable are **applications**. SQL injections happen **in the application code**, not in the database. If you write the code in a bad manner, e.g. by combining SQL statements with user input, then very often your code will be vulnerable to SQL injections. If you use prepared statements, your code will be **secure** against SQL injections, **no matter what database you use**. – mentallurg Jun 09 '22 at 02:44