Learn SQL for SQL Injection in 10 minutes

Well, this means if you have a table of students in your class and you want to add their phone number in it. You will need to create a column for phone numbers which is a type of information but if you want to add a recorded of a new student, you would need to add a row to enter his/her information.

Column = Type of Information
Row = Information

So how to enter data into databases? How to edit data? How to add rows and columns.

To manage databases, we take the help of a declarative language called SQL (Structured Query Language). Here are some main commands of SQL:

SELECT : Retrieve data from table(s)
INSERT : Insert data into db table
UPDATE : Update data in db table
DELETE : Delete data from table
CREATE : Create db object
ALTER : Modify db object
DROP : Delete db object
GRANT : Assign privilege
REVOKE : remove privilege

Selecting data from a table

To select data from a table, we use the SELECT statement whose syntax is as follows:

SELECT ColumnList FROM TableName WHERE Condition

Lets take the following table into account:

IdNumLNameFNameJobCodeSalary
1876CHINJACKTA142400
1114GREENWALDJANICEME338000
1556PENNINGTONMICHAELME129860
1354PARKERMARYFA365800
1130WOODDEBORAHPT236514

Now lets say I have find names of the employees whose salary is more than 40,000. For this purpose I can build this SQL query: SELECT FName FROM Employees Table WHERE Salary > ‘40000’ It will print the FName i.e. First name of the employees. To print all the information, we can use an * (asterisk) which selects everything .

SELECT * FROM Employees Table WHERE Salary > '40000'

Inserting data into a table

To insert new data into a table we use INSERT INTO statement whose syntax is as follows:

INSERT INTO TableName (ColumnList) VALUES (Values)
IdNumLNameFNameJobCodeSalary
1876CHINJACKTA142400
1114GREENWALDJANICEME338000
1556PENNINGTONMICHAELME129860
1354PARKERMARYFA365800
1130WOODDEBORAHPT236514

Lets assume that we have to add data of a new employee, so we can do the following:

INSERT INTO Employees Table (LName, FName, JobCode, Salary) VALUES
('Stark', 'Tony', 'AM2', '70500')

Updating data and Using conditional operators

The INSERT INTO , statement is used to add new data but if we have to modify existing data, we use UPDATE command whose syntax is as follows:

UPDATE TableName
SET Column1 = Value1, Column2 = Value2, …
WHERE Condition
IdNumLNameFNameJobCodeSalary
1876CHINJACKTA142400
1114GREENWALDJANICEME338000
1556PENNINGTONMICHAELME129860
1354PARKERMARYFA365800
1130WOODDEBORAHPT236514

So if I have to change the salary of Jack Chin then I can simply do this:

UPDATE Employees Table
SET Salary = '45000' WHERE LName='CHIN'

This query is perfect but what if there are more than two employees whose last name is Chin? Well in such cases we need to use multiple conditions with proper conditional operators. There are three conditional operators in SQL:

AND : Both conditions need to be true OR : At least one condition needs to be true NOT : The specified condition should not be true Now lets select all the employees whose first name is Jack and last name is Chin.

SELECT * FROM Employees Table WHERE LName='Chin' AND FName='Jack'

Now lets select everyone whose Job code is either ME1 or ME3

SELECT * FROM Employees Table WHERE JobCode='ME1' OR JobCode='ME3'

Now lets select all the employees whose JobCode is not ME1

SELECT * FROM Employees Table WHERE NOT JobCode='ME1'

Deleting data from a table

The syntax for deleting data from a table is a follows:

DELETE FROM TableName WHERE Condition

WHERE let’s remove all the employees whose salary is more than 50,000

DELETE FROM Employees Table WHERE Salary > '50000'

Ordering data

To order data, we use the ORDER BY statement whose syntax is as follows:

SELECT ColumnList
FROM TableName
WHERE Condition
ORDER BY ColumnList
IdNumLNameLnameJobCodeSalary
1876CHINJACKTA142400
1114GREENWALDJANICEME338000
1556PENNINGTONMICHAELME129860
1354PARKERMARYFA365800
1130WOODDEBORAHPT236514

Now let’s say we want to store the names of the employees according to alphabetical order, then we can build this query:

SELECT * FROM Employees Table ORDER BY FName

Combining two of our more queries

To combine multiple queries, we use the UNION statement whose syntax is the following:

SELECT ColumnList FROM Table1 UNION SELECT Column List FROM Table2

So if you want to execute multiple queries at once, you can simply add the UNION statement between them.

Well, there’s more to SQL but these are the basics that will help in being a good SQL Injector.

Leave a Reply

avatar
  Subscribe  
Notify of