SQL Tutorial

• SQL | Datatypes
• SQL | DDL, DML, TCL and DCL
• SQL | TRANSACTIONS
• SQL | VIEWS
• SQL | Comments
• SQL | Constraints
• SQL | Creating Roles
• SQL | Indexes
• SQL | SEQUENCES
• SQL | Query Processing
• CTE in SQL
• SQL Trigger | Student Database
• Book Management Database
• Introduction to NoSQL

SQL Clauses / Operators

• SQL | WITH clause
• SQL | With Ties Clause
• SQL | Arithmetic Operators
• SQL | Wildcard operators
• SQL | Intersect & Except clause
• SQL | USING Clause
• SQL | MERGE Statement
• MERGE Statement in SQL Explained
• SQL | DDL, DML, DCL and TCL Commands
• SQL | CREATE DOMAIN
• SQL | DESCRIBE Statement
• SQL | Case Statement
• SQL | UNIQUE Constraint
• SQL | Create Table Extension
• SQL | ALTER (RENAME)
• SQL | ALTER (ADD, DROP, MODIFY)
• SQL | LIMIT Clause
• SQL | INSERT IGNORE Statement
• SQL | LIKE
• SQL | SOME
• SQL | OFFSET-FETCH Clause
• SQL | Except Clause
• Combining aggregate and non-aggregate values in SQL using Joins and Over clause
• SQL | ALL and ANY
• SQL | EXISTS
• SQL | GROUP BY
• SQL | Union Clause
• SQL | Aliases
• SQL | ORDER BY
• SQL | SELECT TOP Clause
• SQL | UPDATE Statement
• SQL | DELETE Statement
• SQL | INSERT INTO Statement
• SQL | AND and OR operators
• SQL | WHERE Clause
• SQL | Distinct Clause
• SQL | SELECT Query
• SQL | DROP, TRUNCATE
• SQL | CREATE
• SQL | Join (Cartesian Join & Self Join)
• SQL | Alternative Quote Operator
• SQL | Concatenation Operator
• SQL | MINUS Operator
• SQL | DIVISION
• SQL | NOT Operator
• SQL | BETWEEN & IN Operator
• SQL | Join (Inner, Left, Right and Full Joins)
• SQL | CHECK Constraint

SQL-Injection

• SQL Injection
• How to use SQLMAP to test a website for SQL Injection vulnerability
• Mitigation of SQL Injection Attack using Prepared Statements (Parameterized Queries)
• Basic SQL Injection and Mitigation with Example

SQL Functions

• SQL | Mathematical functions (SQRT, PI, SQUARE, ROUND, CEILING & FLOOR)
• SQL | Conversion Function
• SQL general functions | NVL, NVL2, DECODE, COALESCE, NULLIF, LNNVL and NANVL
• SQL | Conditional Expressions
• SQL | Character Functions with Examples
• SQL | LISTAGG
• SQL | Aggregate functions
• SQL | Functions (Aggregate and Scalar Functions)
• SQL | Date functions
• SQL | NULL
• SQL | Numeric Functions
• SQL | String functions
• SQL | Advanced Functions

SQL Queries

• SQL | Joining three or more tables
• SQL | How to Get the names of the table
• SQL | Sub queries in From Clause
• SQL | Correlated Subqueries
• SQL | Top-N Queries
• SQL | SUB Queries
• SQL | How to print duplicate rows in a table?
• SQL | How to find Nth highest salary from a table
• DBMS | Nested Queries in SQL
• SQL query to find second highest salary?

PL/SQL

• PL/SQL Introduction
• Cursors in PL/SQL
• Sum Of Two Numbers in PL/SQL
• Reverse a number in PL/SQL
• Factorial of a number in PL/SQL
• Print Patterns in PL/SQL
• Decision Making in PL/SQL
• Oracle SQL | Pseudocolumn
• SQL | Procedures in PL/SQL
• Print different star patterns in SQL
• GCD of two numbers in PL/SQL
• Centered triangular number in PL/SQL
• Floyd’s triangle in PL/SQL
• Convert distance from km to meters and centimeters in PL/SQL
• Convert the given numbers into words in Pl/SQL
• Sum of digits of a number in PL/ SQL
• Sum of digits equal to a given number in PL/SQL
• Sum and average of three numbers in PL/SQL
• Check whether a string is palindrome or not in PL/SQL
• Count odd and even digits in a number in PL/SQL
• No. of vowels and consonants in a given string in PL/SQL
• Area and Perimeter of a circle in PL/SQL
• Finding sum of first n natural numbers in PL/SQL
• Area and Perimeter of Rectangle in PL/SQL
• Sum of the first and last digit of a number in PL/SQL
• Count no. of characters and words in a string in PL/SQL
• Greatest number among three given numbers in PL/SQL
• Concatenation of strings in PL/SQL
• PL/SQL | User Input

MySQL

• MySQL | Regular expressions(Regexp)
• MySQL | Grant/Revoke Privileges
• MySQL | DATABASE() and CURRENT_USER() Functions
• MySQL | BIN() Function
• MySQL | IFNULL
• MySQL | LAST_DAY() Function
• MySQL | RENAME USER
• MySQL | DROP USER
• MySQL | CREATE USER Statement
• MySQL | Change User Password
• PHP | MySQL WHERE Clause
• PHP | MySQL ORDER BY Clause
• PHP | MySQL UPDATE Query
• PHP | MySQL Delete Query
• PHP | MySQL LIMIT Clause
• PHP | MySQL Select Query
• PHP | Inserting into MySQL database
• PHP | MySQL ( Creating Table )
• PHP | MySQL ( Creating Database )

SQL Server

• SQL SERVER | Conditional Statements
• SQL Server Identity
• SQL Server | STUFF() Function

Misc

• SQL using Python
• SQL using Python and SQLite
• SQL using Python (Handling large data)
• Check if Table, View, Trigger, etc present in Oracle
• Performing Database Operations in Java | SQL CREATE, INSERT, UPDATE, DELETE and SELECT
• Difference between Simple and Complex View in SQL
• Difference between Static and Dynamic SQL
• Having Vs Where Clause?
• Inner Join Vs Outer Join
• Difference between SQL and NoSQL

SQL Injection and Mitigation with Example

SQL injection is a type of security vulnerability where an attacker is able to insert or "inject" malicious SQL code into a query, which can then be executed by the database. This might allow the attacker to view data they are not authorized to view, modify or delete data, and perform other malicious actions.

Example of SQL Injection:

Consider a simple login form where users enter a username and password. The backend code that checks the login credentials might look like this:

sql = "SELECT * FROM users WHERE username='" + input_username + "' AND password='" + input_password + "';"

If an attacker enters the following as the input_username:

' OR '1'='1'; -- 

The SQL query becomes:

SELECT * FROM users WHERE username='' OR '1'='1'; -- ' AND password='whatever';

The -- is an SQL comment, so everything after it is ignored. Thus, the query will return a row even if the username and password do not match, potentially allowing unauthorized access.

Mitigation Techniques:

1. Use Prepared Statements (Parameterized Queries): Instead of constructing SQL statements using string concatenation, use prepared statements. They ensure that user input is always treated as data and not executable code.

   Example with prepared statement (in Java with JDBC):

   String query = "SELECT * FROM users WHERE username=? AND password=?;";
   PreparedStatement stmt = connection.prepareStatement(query);
   stmt.setString(1, input_username);
   stmt.setString(2, input_password);
   ResultSet rs = stmt.executeQuery();
   

2. Use Stored Procedures: Instead of writing SQL in your application code, use stored procedures in the database and call them from your application.

3. Escape User Input: If you must include user input in SQL queries (which is not recommended), make sure to properly escape it to make it safe for inclusion in SQL.

4. Least Privilege: The database account used by the application should have the least privileges necessary. For instance, if your application only needs to fetch data, do not give it delete or update privileges.

5. Web Application Firewall (WAF): A WAF can help detect and block SQL injection attempts.

6. Regularly Update and Patch: Ensure that your database software and application frameworks are regularly updated and patched.

7. Error Handling: Do not reveal detailed database error messages to users. Generic error messages should be displayed, and detailed errors should be logged for internal review.

By following best practices and employing the techniques above, the risk of SQL injection can be greatly minimized.

1. SQL Injection prevention techniques with examples:

   One effective technique to prevent SQL Injection is to use parameterized queries or prepared statements. Here's an example in Java using JDBC:

   String username = request.getParameter("username");
   String password = request.getParameter("password");
   
   String query = "SELECT * FROM users WHERE username = ? AND password = ?";
   try (PreparedStatement preparedStatement = connection.prepareStatement(query)) {
       preparedStatement.setString(1, username);
       preparedStatement.setString(2, password);
   
       ResultSet resultSet = preparedStatement.executeQuery();
       // Process the result set
   } catch (SQLException e) {
       // Handle exceptions
   }
   

   Parameterized queries ensure that user inputs are treated as data and not executable SQL code.

2. Preventing SQL Injection in PHP with examples:

   In PHP, you can prevent SQL Injection by using prepared statements with PDO (PHP Data Objects) or MySQLi. Example using MySQLi:

   $username = $_POST['username'];
   $password = $_POST['password'];
   
   $conn = new mysqli("localhost", "username", "password", "database");
   
   $stmt = $conn->prepare("SELECT * FROM users WHERE username = ? AND password = ?");
   $stmt->bind_param("ss", $username, $password);
   
   $stmt->execute();
   
   $result = $stmt->get_result();
   // Process the result set
   
   $stmt->close();
   $conn->close();
   

3. Parameterized queries and SQL Injection prevention:

   Parameterized queries or prepared statements are a powerful defense against SQL Injection. They ensure that user inputs are treated as data and not executable SQL code. Examples were provided earlier for Java and PHP.

4. Web application firewall for SQL Injection protection:

   A Web Application Firewall (WAF) can add an additional layer of defense against SQL Injection attacks. It filters and monitors HTTP traffic, blocking malicious requests before they reach the web application. WAFs often have signature-based detection and can be configured to block known SQL Injection patterns.