== Severity of SQL Injection

=== The severity of SQL Injection attacks is limited by 
* Attacker’s skill and imagination
* Defense in depth countermeasures
** Input validation
** Least privilege
* Database technology

=== Not all databases support command chaining
* Microsoft Access
* MySQL Connector/J and C
* Oracle

=== Not all databases are equal (SQL Server)
* Command shell: `master.dbo.xp_cmdshell 'cmd.exe dir c:'` 
* Reqistry commands: `xp_regread`, `xp_regdeletekey`, …