Perhaps it may sound strange but I was told that SQL injection attacks
can be classified as:
passive and active
Passive SQLi:
- it is related to SQL statement such:
SELECT,UNION,GROUP BY,LOAD,HAVING EXECUTE, BEGIN, DECLARE…etc
Active SQLi:
- it is supposed to be more dangerous since it involves modifying the DBMS through statements like:
UPDATE,DELETE,INSERT..etc so
I haven’t yet found anything about it in terms of white papers, study material and so on.
OWASP defines passive and active sql injections here
Both are problematic, and if you have one you probably have the other. The problem with active is fairly obvious (someone is updating/creating/deleting your data in ways you didn’t plan). Passive is just as dangerous though for you and your users though. Imagine if they get a list of usernames and passwords. These could be used to login legitamently to your website, or to other websites as most users reuse passwords on multiple sites.