The key difference between XSS and SQL Injection is that the XSS (or Cross Site Scripting) is a type of computer security vulnerability that injects malicious code to the website so that the code runs in the users of that website by the browser while the SQL injection is another website hacking mechanism that adds SQL code to a web form input box to gain access to resources or to make changes to data.
Every organization maintains websites, which help to improve the business and the profitability. A web application contains the client side and server side. The client side includes the user interfaces to interact with the application. The server side includes the database. Usually, there are threats that affect the proper functioning of the application. Two of them are XSS and SQL injection.
CONTENTS
1. Overview and Key Difference
2. What is XSS
3. What is SQL Injection
4. Side by Side Comparison – XSS vs SQL Injection in Tabular Form
5. Summary
What is XSS?
XSS stands for Cross Site Scripting, and it is one of the most common website attacks. It can affect that particular website as well as users of that website. The most common language to write malicious code for XSS attack is the JavaScript. XSS can steal user’s cookies, change user setting, display various malware downloads and many more.
Figure 01: XSS
There are two types of XSS. They are the persistent and non-persistent XSS. In persistent XSS, the malicious code saves to the server in the database. Then it will run on the normal page. In non-persistent XSS, the injected malicious code will be sent to the Server via an HTTP request. Usually, these attacks can occur in search fields.
What is SQL Injection?
SQL Injection is another website hacking mechanism. It places a malicious code in SQL statements via web page input. A website contains forms to collect user inputs. When asking the user for input such as username, userid he might provide an SQL statement instead of name and it. So, it can run on the website database.
Figure 02: SQL Injection
Furthermore, few examples of SQL Injections are as follows;
There can be a situation to search a user through the userid. If there is no input validation method, the user can enter a wrong input. If he enters the userid as 100 OR 1=1, it will generate an SQL statement as follows.
select * from users where userid=100 or 1=1;
This SQL statement can return all the users in the database because 1=1 is always true. If this was a hacker and if the database contained confidential data such as passwords, then he can get access to the usernames and passwords. That is an example for SQL Injection.
What is the Difference Between XSS and SQL Injection?
XSS is a type of computer security vulnerability in web applications that enables attackers to inject client-side scripts into web pages viewed by other users. SQL injection is a code injection technique, that attack data driven applications that insert SQL statements into an entry filed for execution.
XSS injects malicious code to the website, so that code runs in the users of that website by the browser. On the other hand, SQL injection adds SQL code to a web form input box to gain access to resources or to make changes to data. This is the main difference between XSS and SQL Injection. Most common language for XSS is JavaScript while SQL injection uses SQL.
Summary – XSS vs SQL Injection
The difference between XSS and SQL Injection is that the XSS injects malicious code to the website, so that code executes in the users of that website by the browser while the SQL injection adds SQL code to a web form input box to gain access to resources or to make changes to data.
Reference:
1.“What Is SQL Injection? – Definition from WhatIs.com.” SearchSoftwareQuality, TechTarget. Available here
2.“SQL Injection.” W3Schools Online Web Tutorials. Available here
3. “What Is Cross-Site Scripting (XSS)? – Definition from WhatIs.com.” SearchSecurity, TechTarget. Available here
Image Courtesy:
1.’26327769571′ by Christiaan Colen (CC BY-SA 2.0) via Flickr
2.’SQL injection’By Batka savemazaalai – Own work, (CC BY-SA 4.0) via Commons Wikimedia