CFP last date
20 January 2025
Reseach Article

SQL Injection Attacks: Technique and Prevention Mechanism

by Gaurav Shrivastava, Kshitij Pathak
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 69 - Number 7
Year of Publication: 2013
Authors: Gaurav Shrivastava, Kshitij Pathak
10.5120/11857-7626

Gaurav Shrivastava, Kshitij Pathak . SQL Injection Attacks: Technique and Prevention Mechanism. International Journal of Computer Applications. 69, 7 ( May 2013), 35-39. DOI=10.5120/11857-7626

@article{ 10.5120/11857-7626,
author = { Gaurav Shrivastava, Kshitij Pathak },
title = { SQL Injection Attacks: Technique and Prevention Mechanism },
journal = { International Journal of Computer Applications },
issue_date = { May 2013 },
volume = { 69 },
number = { 7 },
month = { May },
year = { 2013 },
issn = { 0975-8887 },
pages = { 35-39 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume69/number7/11857-7626/ },
doi = { 10.5120/11857-7626 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T21:29:37.301960+05:30
%A Gaurav Shrivastava
%A Kshitij Pathak
%T SQL Injection Attacks: Technique and Prevention Mechanism
%J International Journal of Computer Applications
%@ 0975-8887
%V 69
%N 7
%P 35-39
%D 2013
%I Foundation of Computer Science (FCS), NY, USA
Abstract

In today's era where almost every task is performed through web applications, the need to assure the security of web applications has increased. A survey held in 2010 shows web application vulnerabilities and SQL Injection attack ranked among top five[1]. SQL Injection attack (SQLIA) is performed by those persons who want to access the database and want to steal, change or delete the data which they do not have permission to access [1]. In SQLIA adversary requests through a malicious query which shows some confidential data [2]. In research, it is also proved that when a network and host-level entry point is highly secured, the public interface provided by an application is the one and only source of SQL injection attack. SQLIA can't be applied without using space, single quotes or double dashes [3]. So to prevent SQLIA, these options are taken in observation. Previous model [10] used JDBC-LDAP library which did not support instances, alias and set operations (UNION and UNION ALL). If a query with injection is accepted by any database which is based on relational approach, then it will be accepted by all databases that are based on relational approach. This paper is focused on SQLIA and its techniques and encounters the shortcoming of previous models. This paper proposed a model which uses two databases one relational and other hierarchical to ensure about injection in a query, compare the results by applying tokenization technique on both databases. If the results are same, there is no injection, otherwise it is present. The proposed model uses a tokenization technique so; query containing Alias, Instances and Set operations can also be blocked at the entry point.

References
  1. R. Ezumalai, G. Aghila, "Combinatorial Approach for Preventing SQL Injection Attacks", 2009 IEEE International Advance Computing Conference (IACC 2009) Patiala, India, 6-7 March 2009.
  2. Asha. N, M. Varun Kumar,Vaidhyanathan. G of Anomaly Based Character Distribution Models in the,"Preventing SQL Injection Attacks", International Journal of Computer Applications (0975 – 8887) Volume 52– No. 13, August 2012
  3. Mehdi Kiani, Andrew Clark and George , "Evaluation e Detection of SQL Injection Attacks". The Third International Conference on Availability, Reliability and Security,0-7695-3102-4/08, 2008 IEEE.
  4. V. Shanmughaneethi, C. EmilinShyni and Dr. S. Swamynathan, "SBSQLID: Securing Web Applications with Service Based SQL Injection Detection" 2009 International Conference on Advancesin Computing, Control, and Telecommunication Technologies, 978-0-7695-3915-7/09, 2009 IEEE
  5. Yuji Kosuga, Kenji Kono, Miyuki Hanaoka, Hiyoshi Kohoku-ku, Yokohama, Miho Hishiyama, Yu Takahama, Kaigan Minato-ku, "Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection" 23rd Annual Computer Security Applications Conference, 2007, 1063-9527/07, 2007 IEEE
  6. Prof (Dr. ) Sushila, MadanSupriyaMadan, "Shielding Against SQL Injection Attacks Using ADMIRE Model", 2009 First International Conference on Computational Intelligence, Communication Systems and Networks, 978-0-7695-3743-6/09 2009 IEEE
  7. A S Yeole, B BMeshram, "Analysis of Different Technique for Detection of SQL Injection", International Conference and Workshop on Emerging Trends in Technology (ICWET 2011) – TCET, Mumbai, India, ICWET'11, February 25–26, 2011, Mumbai, Maharashtra, India. 2011 ACM.
  8. Ke Wei, M. Muthuprasanna, Suraj Kothari, "Preventing SQL Injection Attacks in Stored Procedures". Proceedings of the 2006 Australian Software Engineering Conference (ASWEC'06).
  9. Debasish Das, Utpal Sharma, D. K. Bhattacharyya, "Rule based Detection of SQL Injection Attack", International Journal of Computer Applications (0975 – 8887) Volume 43– No. 19, April 2012.
  10. NTAGW ABIRA Lambert, KANG Song Lin, "Use of Query Tokenization to detect and prevent SQL Injection Attacks", 978-1-4244-5540-9/10/2010 IEEE.
  11. Kai-Xiang Zhang, Chia-Jun Lin, Shih-Jen Chen, Yanling Hwang, Hao-Lun Huang, and Fu-Hau Hsu, "TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks", First International Conference on Robot, Vision and Signal Processing, IEEE, 2011
Index Terms

Computer Science
Information Sciences

Keywords

SQLIA Classification of SQLIA Query Tokenization