CFP last date
20 January 2025
Reseach Article

The Multi-Tier Architecture for Developing Secure Website with Detection and Prevention of SQL-Injection Attacks

by Praveen Kumar
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 62 - Number 9
Year of Publication: 2013
Authors: Praveen Kumar
10.5120/10110-4767

Praveen Kumar . The Multi-Tier Architecture for Developing Secure Website with Detection and Prevention of SQL-Injection Attacks. International Journal of Computer Applications. 62, 9 ( January 2013), 30-36. DOI=10.5120/10110-4767

@article{ 10.5120/10110-4767,
author = { Praveen Kumar },
title = { The Multi-Tier Architecture for Developing Secure Website with Detection and Prevention of SQL-Injection Attacks },
journal = { International Journal of Computer Applications },
issue_date = { January 2013 },
volume = { 62 },
number = { 9 },
month = { January },
year = { 2013 },
issn = { 0975-8887 },
pages = { 30-36 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume62/number9/10110-4767/ },
doi = { 10.5120/10110-4767 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T21:11:21.984719+05:30
%A Praveen Kumar
%T The Multi-Tier Architecture for Developing Secure Website with Detection and Prevention of SQL-Injection Attacks
%J International Journal of Computer Applications
%@ 0975-8887
%V 62
%N 9
%P 30-36
%D 2013
%I Foundation of Computer Science (FCS), NY, USA
Abstract

SQL injection is an attack methodology that targets the data residing in a database. The attack takes advantage of poor input validation in code and website administration. SQL Injection Attacks occur when an attacker is able to insert a series of SQL statements into a 'query' by manipulating user input data into a web-based application, an attacker can take advantages of web application programming security flaws and pass unexpected malicious SQL statements through a web application for execution by the back-end database. This paper proposes a novel specification-based methodology for the prevention of SQL injection Attacks. The two most important advantages of the new approach against existing analogous mechanisms are that, first, it prevents all forms of SQL injection attacks; second, Current technique does not allow the user to access database directly from the database server. Our proposed framework for building secure and anti-theft web applications is consisting of four stages. In each stage we analyze the inputted data taken from the user and make a decision, whether that is suspected or not.

References
  1. A Tajpour, A. , Masrom, M. , Heydari, M. Z. , and Ibrahim, S. , SQL injection detection and prevention tools assessment. Proc. 3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT'10) 9-11 July (2010), 518-522
  2. L Halfond W. G. , Viegas, J. , and Orso, A. , A Classification of SQL-Injection Attacks and Countermeasures. In Proc. of the Intl. Symposium on Secure Software Engineering, Mar. (2006).
  3. M. Dornseif. Common Failures in Internet Applications,May2005. http://md. hudora. de/presentations/2005-common-failures/dornseif-common-failures-2005-05-25. pdf.
  4. C. A. Mackay. SQL Injection Attacks and Some Tips on How to Prevent Them. Technical report, The Code Project, January 2005. http://www. codeproject. com/cs/database/SqlInjectionAttacks. asp.
  5. X. Fu, X. Lu, B. Peltsverger, S. Chen, K. Qian, and L. Tao. A StaticAnalysis Framework for Detecting SQL Injection Vulnerabilities,COMPSAC 2007, pp. 87-96, 24-27 July 2007
  6. S. Thomas, L. Williams, and T. Xie, On automated prepared statement generation to remove SQL injection vulnerabilities. Information and Software Technology 51, 589–598 (2009).
  7. M. Ruse, T. Sarkar and S. Basu. Analysis & Detection of SQL Injection Vulnerabilities via Automatic Test Case Generation of Programs. 10th Annual International Symposium on Applications and the Internet pp. 31 – 37 (2010)
  8. Shaukat Ali, Azhar Rauf, Huma Javed "SQLIPA:An authentication mechanism Against SQL Injection"
  9. Roichman, A. , Gudes, E. : Fine-grained Access Control to WebDatabases. In: Proc. of 12th SACMAT Symposium, France (2007)
  10. K. Kemalis, and T. Tzouramanis (2008). SQL-IDS: A Specification-based Approach for SQLinjection Detection. SAC'08. Fortaleza, Ceará, Brazil, ACM: pp. 2153 2158.
  11. S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection Attacks. In Proceedings of the 2nd Applied Cryptography and Network Security Conference, pages 292–302, June 2004.
  12. K. Amirtahmasebi, S. R. Jalalinia, S. Khadem, "A survey of SQLinjection defense mechanisms," Proc. Of ICITST 2009, vol. , no. , pp. 1-8, 9-12 Nov. 2009
  13. G. Buehrer, B. W. Weide, P. A. G. Sivilotti, Using Parse Tree Validation to Prevent SQL Injection Attacks, in: 5th International Workshop on Software Engineering and Middleware, Lisbon, Portugal, 2005, pp. 106–113.
  14. P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Trans. Inf. Syst. Secur. , 13(2):1–39, 2010
  15. Matthew Levine. The importance of application security. Technical report, @stake, jan 2003. http://www. atstake. com/research/reports/acrobat/atstake_application_security. pdf.
  16. The Open Web Application Security Project. A guide to building secure web applications, Version 1. 1. 1. Online Documentation, sep 2002. http://www. owasp. org/.
  17. Kevin Spett. Security at the next level - are your web applications vulnerable? Technical report, SPI Dynamics, 2002. http://www. spidynamics. com/whitepapers/webappwhitepaper. pdf.
  18. Shubham Shrivastava, Rajeev Ranjan Kumar Tripathi, Attacks Due to SQL injection & their Prevention Method for Web-Application, International Journal of Computer Sciecne and information technologies, Vol 3 (2), pp. 3615-3618, 2012.
Index Terms

Computer Science
Information Sciences

Keywords

SQL Injection Avoidance SQLIA Prevention SQLIA Detection SQL Attacks