REVIEW ON SQL INJECTION PROTECTION METHODS AND TOOLS

Muhammad Saidu Aliero; Imran Ghani; Syeed Zainudden; Muhammad Murad Khan; Munir Bello

doi:10.11113/jt.v77.6359

REVIEW ON SQL INJECTION PROTECTION METHODS AND TOOLS

Jurnal Teknologi ◽

10.11113/jt.v77.6359 ◽

2015 ◽

Vol 77 (13) ◽

Author(s):

Muhammad Saidu Aliero ◽

Imran Ghani ◽

Syeed Zainudden ◽

Muhammad Murad Khan ◽

Munir Bello

Keyword(s):

Second Order ◽

Sql Injection ◽

Common Trends ◽

Web Based ◽

Unauthorized Access ◽

Injection Attacks ◽

Sql Injection Attack ◽

Sql Injection Attacks ◽

Store Procedure ◽

Tools And Methods

SQL injection vulnerability is one of the most common web-based application vulnerabilities that can be exploited by SQL injection attack. Successful SQL Injection Attacks (SQLIA) result in unauthorized access and unauthorized data modification. Researchers have proposed many methods to tackle SQL injection attack, however these methods fail to address the whole problem of SQL injection attack, because most of the approaches are vulnerable in nature, cannot resist sophisticated attack or limited to scope of subset of SQLIA type. In this paper we provide a detailed background of SQLIA together with vulnerable PHP code to demonstrate how attacks are being carried out, and discuss most commonly used method by programmers to defend against SQLIA and the disadvantages of such an approach. Lastly we reviewed most commonly use tools and methods that act a firewall for preventing SQLIA, finally wean alytically evaluated reviewed tools and methods based on our experience with respect to five different perspectives. Our evaluation results point out common trends on current SQLI prevention tools and methods. Most of these methods and tools have problems addressing store-procedure attacks, as well as problems addressing attacks that take advantage of second order SQLI vulnerability. Our evaluation also shows that only a few of these methods and tools considered can be deployed in all web-based application platforms.

Download Full-text

SQL Injection Attacks Countermeasures

Threats, Countermeasures, and Advances in Applied Information Security - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-4666-0978-5.ch010 ◽

2012 ◽

pp. 194-213

Author(s):

Kasra Amirtahmasebi ◽

Seyed Reza Jalalinia

Keyword(s):

Web Application ◽

Web Applications ◽

Confidential Information ◽

Sql Injection ◽

Unauthorized Access ◽

Injection Attacks ◽

Prevention Techniques ◽

Sql Injection Attack ◽

Sql Injection Attacks ◽

The Web

Due to the huge growth in the need for using Web applications worldwide, there have been huge efforts from programmers to develop and implement new Web applications to be used by companies. Since a number of these applications lack proper security considerations, malicious users will be able to gain unauthorized access to confidential information of organizations. A concept called SQL Injection Attack (SQLIA) is a prevalent method used by attackers to extract the confidential information from organizations’ databases. They work by injecting malicious SQL codes through the web application, and they cause unexpected behavior from the database. There are a number of SQL Injection detection/prevention techniques that must be used in order to prevent unauthorized access to databases.

Download Full-text

Secure Online Election System

International Journal of Innovative Technology and Exploring Engineering - Special Issue ◽

10.35940/ijitee.k1235.09811s19 ◽

2019 ◽

Vol 8 (11S) ◽

pp. 1166-1171

Keyword(s):

Web Application ◽

Control Unit ◽

Sql Injection ◽

Stored Procedure ◽

Injection Attacks ◽

Election System ◽

Sql Injection Attack ◽

Online Voting ◽

One Way Function ◽

Sql Injection Attacks

India, the biggest democratic ruling system in terms of population utilises the Electronic Voting Machine or EVM for their general elections. Any EVM comprises of two units: The Control unit and the Ballot unit. O n g o i n g re s e a rc h h a s i n d i c a t e d m a n y disadvantages in the system. One of the main disadvantages we encounter is that many researchers have claimed that the EVM can easily be tampered with. EVMs also encounter many physical threats. To prevent these drawbacks, we have proposed an online voting s y s t e m w h i c h c o u n t e r m a n y p h y s i c a l difficulties faced by the EVM. One main difficulty in the online system is the SQL Injection attack. SQL injection is messing with the database and controlling it with the help of SQL Queries. Our project focuses on the Tautology based SQL Injection attack. In this attack, a statement whose value will always be true or 1 is passed instead of username and password by the hacker. This allows access to t h e d a t a b a s e w h i c h a l l o w s h i m / h e r t o manipulate it. Manipulation can be of several kinds. Web based Voting is another innovation that is rising which has the possibility of countering numerous downsides looked by the EVMs. The online voting application works as any other web application. Each voter who wants to vote needs to fill all the required details and create an account on the website first. On the day of voting, when voters cast their vote, they need to sign in with their respective credentials. When the credentials match with the data from database, the voter can get to the voting page and make his choice. An affirmation mail is the sent to the client after effectively making the choice. The votes cast by the voters are sent to a separate database which is viewed in the administration s i d e . We u s e s t o r e d p r o c e d u r e s a n d parameterized queries to prevent the Tautology based SQL attack. If a malicious user enters any query which has a value, it will simply be passed as a parameter to the SQL statement and wont be a component of the SQL statement itself, thus rendering the stored procedure invulnerable to SQL injection attacks. We also use the Secure Hash Algorithm 256 (SHA-256). It is a type of cryptographic hash function which generates a unique 256 bit long hash key for each vote. It is a one way function and so it cannot be decrypted. This ensures that the votes are not manipulated.

Download Full-text

Method to Detect SQL Injection Attacks for Complex Network Environment

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.651.841 ◽

2013 ◽

Vol 651 ◽

pp. 841-845

Author(s):

Wu Min Pan

Keyword(s):

Operating Systems ◽

Web Application ◽

Security Risk ◽

Defense System ◽

Sql Injection ◽

Injection Attacks ◽

Test Application ◽

Sql Injection Attack ◽

Sql Injection Attacks ◽

The Web

SQL injection has become a serious security risk among all the attacks against Web application. The SQL injection attack allows an attacker to access the underlying database unrestrictedly, and furthermore, retrieves the confidential information of the corporation and the network user. We found that most of the existing researches are able to detect most of the attacks, but they do not consider the complexity involved in using the defense system and the eventual cost of modification of the original program. For this reason, we conducts an in-depth research on SQL injection and defense: requires no modification of the web application code,and can be adapted to different usage scenarios,involving also different operating systems and server applications,and can be able to detect all the known injection points for the test application

Download Full-text

SQL injection attacks countermeasures assessments

Indonesian Journal of Electrical Engineering and Computer Science ◽

10.11591/ijeecs.v21.i2.pp1121-1131 ◽

2021 ◽

Vol 21 (2) ◽

pp. 1121

Author(s):

Mamdouh Alenezi ◽

Muhammad Nadeem ◽

Raja Asif

Keyword(s):

Mapping Study ◽

Sql Injection ◽

Web Based ◽

Software Products ◽

Injection Attacks ◽

Hybrid Approaches ◽

Limited Scale ◽

Sql Injection Attacks ◽

The Cost ◽

Single Approach

<span>SQL injections attacks have been rated as the most dangerous vulnerability of web-based systems over more than a decade by OWASP top ten. Though different static, runtime and hybrid approaches have been proposed to counter SQL injection attacks, no single approach guarantees flawless prevention/ detection for these attacks. Hundreds of components of open source and commercial software products are reported to be vulnerable for SQL injection to CVE repository every year. In this mapping study, we identify different existing approaches in terms of the cost of computation and protection offered. We found that most of the existing techniques claim to offer protection based on the testing on a very small or limited scale. This study dissects each proposed approach and highlights their strengths and weaknesses and categorizes them based on the underlying technology used to detect or counter the injection attacks.</span>

Download Full-text

Review of SQL Injection : Problems and Prevention

JOIV International Journal on Informatics Visualization ◽

10.30630/joiv.2.3-2.144 ◽

2018 ◽

Vol 2 (3-2) ◽

pp. 215 ◽

Cited By ~ 1

Author(s):

Mohd Amin Mohd Yunus ◽

Muhammad Zainulariff Brohan ◽

Nazri Mohd Nawi ◽

Ely Salwana Mat Surin ◽

Nurhakimah Azwani Md Najib ◽

...

Keyword(s):

Management System ◽

Database Management ◽

Database Management System ◽

Electronic Records ◽

Sql Injection ◽

Web Based ◽

Injection Attacks ◽

Sql Injection Attacks ◽

The Web ◽

Journal Papers

SQL injection happened in electronic records in database and it is still exist even after two decades since it first happened. Most of the web-based applications are still vulnerable to the SQL injection attacks. Although technology had improved a lot during these past years, but, hackers still can find holes to perform the SQL injection. There are many methods for this SQL injection to be performed by the hackers and there is also plenty of prevention for the SQL injection to be happened. The vulnerability to SQL injection is very big and this is definitely a huge threat to the web based application as the hackers can easily hacked their system and obtains any data and information that they wanted anytime and anywhere. This paper can conclude that several proposed techniques from existing journal papers used for preventing SQL injection. Then, it comes out with Blockchain concept to prevent SQL injection attacks on database management system (DBMS) via IP.

Download Full-text

A Survey on SQL Injection Prevention Methods

International Journal of Innovative Computing ◽

10.11113/ijic.v9n1.224 ◽

2019 ◽

Vol 9 (1) ◽

Author(s):

Shahbaaz Mohammed Hayat Chaki ◽

Mazura Mat Din

Keyword(s):

Individual Data ◽

Initial Finding ◽

Sql Injection ◽

Injection Attacks ◽

Different Types ◽

The Mean ◽

Sql Injection Attack ◽

The Individual ◽

Sql Injection Attacks ◽

Prevention Methods

Database plays a very important role in everyone’s life including the organizations since everything today is connected via Internet and to manage so many data. There is a need of database which helps organizations to organize, sort and manage the data and to ensure that the data which a user is receiving and sending through the mean of database is secure since the database stores almost everything such as Banking details which includes user id, Password and so. Thus, it means that the data are really valuable and confidential to us and therefore security really matters for database. SQL Injection Attacks on the database are becoming common in this era where the hackers are trying to steal the valuable data of an individual through the mean of SQL Injection Attack by using malicious query on the application. This application reveals the individual data by an efficient and the best SQL Injection Prevention technique is required in order to protect the individual data from being stolen by the hackers. Therefore, this paper will be focusing on reviewing different types of SQL Injection prevention methods and SQL injection types. The initial finding of this paper can make comparison of different types of SQL Injection Prevention methods which will enable the Database Administrator to choose the best and the efficient SQL Injection Prevention Method for their organization. Consequently, Preventing of SQL Injection Attack from happening which would ultimately result in no data loss of an user.

Download Full-text

SQL Injection Attack on Web Application

Asian Journal of Computer Science and Technology ◽

10.51983/ajcst-2018.7.s1.1814 ◽

2018 ◽

Vol 7 (S1) ◽

pp. 11-15

Author(s):

S. Parameswari ◽

K. Kavitha

Keyword(s):

Web Application ◽

Web Applications ◽

Sql Injection ◽

Injection Attacks ◽

Sql Injection Attack ◽

Simplified Algorithm ◽

Basic Features ◽

Sql Injection Attacks ◽

Almost All ◽

The Web

SQL injection attacks are one of the highest dangers for applications composed for the Web. These attacks are dispatched through uncommonly made client information on web applications that utilizes low level string operations to build SQL queries. An SQL injection weakness permits an assailant to stream summons straightforwardly to a web application’s hidden database and annihilate usefulness or privacy. In this paper we proposed a simplified algorithm which works on the basic features of the SQL Injection attacks and will successfully detect almost all types of SQL Injection attacks. In the paper we have also presented the experiment results in order to acknowledge the proficiency of our algorithm.

Download Full-text

Vulnerability detection and prevention of SQL injection

International Journal of Engineering & Technology ◽

10.14419/ijet.v7i2.31.13388 ◽

2018 ◽

Vol 7 (2.31) ◽

pp. 16 ◽

Cited By ~ 3

Author(s):

B J. Santhosh Kumar ◽

P P. Anaswara

Keyword(s):

Attack Detection ◽

Security Vulnerabilities ◽

Sql Injection ◽

Injection Attacks ◽

White List ◽

Sql Injection Attack ◽

Comparative Results ◽

Sql Injection Attacks ◽

Input Validation ◽

Prepared Statement

SQL injection attack is the most serious security vulnerabilities on databases are connected with web or within an intranet, most of these vulnerabilities are affected by lack of input validation and SQL parameters are use. The attackers are trying to steal the data which was hidden and by attacking the database using the attacking technique that is called SQL injection attacks. The SQL injection attack detection and prevention technologies are experimented in this paper. There are different defence methods are used to prevent such as, parameterized statement, stored procedures and white list input validation. The comparative results of these methods are highlighted in the table with SQL injection query, prepared statement insertion and selection queries, stored procedures and modify queries. The comparison of these methods used for detection and prevention vulnerability in web server.

Download Full-text

Study the Best PenTest Algorithm for Blind SQL Injection Attacks

International Journal on Information and Communication Technology (IJoICT) ◽

10.21108/ijoict.2019.52.268 ◽

2020 ◽

Vol 5 (2) ◽

pp. 1

Author(s):

Aldebaran Bayu Nugroho ◽

Satria Mandala

Keyword(s):

Binary Search ◽

Linear Search ◽

Error Message ◽

Sql Injection ◽

Injection Attacks ◽

Database Server ◽

Interpolation Search ◽

Long Time ◽

Sql Injection Attack ◽

Sql Injection Attacks

<p>There are several types of SQL injection attacks. One of the most popular SQL Injection Attacks is Blind SQL. This attack is performed by exploiting a gap in the database server when executing query words. If the server responds to an invalid query, the attacker will then reverse the engineering part of the SQL query, which is obtained from the error message of the server. The process of generating a blind SQL injection attack is complicated. As a result, a Pentester often requires a long time to penetrate the database server. This research provides solutions to the problems above by developing the automation of a blind SQL injection attack. The method used in this research is to generate keywords, such as the database name and table name so that the attacker can retrieve information about the user name and password. This research also compares several search algorithms, such as linear search, binary search, and interpolation search for generating the keywords of the attack. Automation of the Blind SQL Injection was successfully developed, and the performance of the keywords generation for each algorithm was also successfully measured, i.e., 1.7852 seconds for Binary Search, 1.789 seconds for interpolation and 1.902 seconds for Linear Search.</p>

Download Full-text

Hybrid method integrating SQL-IF and Naïve Bayes for SQL injection attack avoidance

Journal of Engineering and Applied Technology ◽

10.21831/jeatech.v1i2.35497 ◽

2021 ◽

Vol 1 (2) ◽

Author(s):

Faisal Yudo Hernawan ◽

Indra Hidayatulloh ◽

Ipam Fuaddina Adam

Keyword(s):

Hybrid Method ◽

Web Applications ◽

Naive Bayes ◽

Naïve Bayes ◽

Sql Injection ◽

Bayes Methods ◽

Injection Attacks ◽

Attack Patterns ◽

Sql Injection Attack ◽

Sql Injection Attacks

Web applications are the objects most targeted by attackers. The technique most often used to attack web applications is SQL injection. This attack is categorized as dangerous because it can be used to illegally retrieve, modify, delete data, and even take over databases and web applications. To prevent SQL injection attacks from being executed by the database, a system that can identify attack patterns and can learn to detect new patterns from various attack patterns that have occurred is required. This study aims to build a system that acts as a proxy to prevent SQL injection attacks using the Hybrid Method which is a combination of SQL Injection Free Secure (SQL-IF) and Naïve Bayes methods. Tests were carried out to determine the level of accuracy, the effect of constants (K) on SQL-IF, and the number of datasets on Naïve Bayes on the accuracy and efficiency (average load time) of web pages. The test results showed that the Hybrid Method can improve the accuracy of SQL injection attack prevention. Smaller K values and larger dataset will produce better accuracy. The Hybrid Method produces a longer average web page load time than using only the SQL-IF or Naïve Bayes methods.

Download Full-text