International Journal of Computer Applications |
Foundation of Computer Science (FCS), NY, USA |
Volume 69 - Number 7 |
Year of Publication: 2013 |
Authors: Gaurav Shrivastava, Kshitij Pathak |
10.5120/11857-7626 |
Gaurav Shrivastava, Kshitij Pathak . SQL Injection Attacks: Technique and Prevention Mechanism. International Journal of Computer Applications. 69, 7 ( May 2013), 35-39. DOI=10.5120/11857-7626
In today's era where almost every task is performed through web applications, the need to assure the security of web applications has increased. A survey held in 2010 shows web application vulnerabilities and SQL Injection attack ranked among top five[1]. SQL Injection attack (SQLIA) is performed by those persons who want to access the database and want to steal, change or delete the data which they do not have permission to access [1]. In SQLIA adversary requests through a malicious query which shows some confidential data [2]. In research, it is also proved that when a network and host-level entry point is highly secured, the public interface provided by an application is the one and only source of SQL injection attack. SQLIA can't be applied without using space, single quotes or double dashes [3]. So to prevent SQLIA, these options are taken in observation. Previous model [10] used JDBC-LDAP library which did not support instances, alias and set operations (UNION and UNION ALL). If a query with injection is accepted by any database which is based on relational approach, then it will be accepted by all databases that are based on relational approach. This paper is focused on SQLIA and its techniques and encounters the shortcoming of previous models. This paper proposed a model which uses two databases one relational and other hierarchical to ensure about injection in a query, compare the results by applying tokenization technique on both databases. If the results are same, there is no injection, otherwise it is present. The proposed model uses a tokenization technique so; query containing Alias, Instances and Set operations can also be blocked at the entry point.