Eliminate Sql Injection Using LINQ

As web application security breaches and attempts rise, developers are increasingly being asked to take more responsibility for the security of their applications. In fact security-related concerns are hard to apply as they involve adding complexity to already complex code. In this paper, we have proposed a lightweight approach to prevent SQL Injection attacks, that it can actually be well defended by using LINQ (Language Integrated Query) .LINQ to SQL, when used exclusively for data access, eliminates the possibility of SQL injection in your application for one simple reason: every SQL query that LINQ executes on your behalf is parameterized. Internally, it means that when LINQ to SQL queries the database, instead of using plain values, it passes them as SQL parameters, which means they can never be treated as executable code by the database. This is also true for most (if not all) ORM mappers out there.

[1]  Robert Dollinger,et al.  Using LINQ transformation patterns to evaluate SQL queries , 2011, Fourth International Conference on the Applications of Digital Information and Web Technologies (ICADIWT 2011).

[2]  Marco Vieira,et al.  Detecting SQL Injection Vulnerabilities in Web Services , 2009, 2009 Fourth Latin-American Symposium on Dependable Computing.

[3]  Raphael C.-W. Phan,et al.  Augmented attack tree modeling of SQL injection attacks , 2010, 2010 2nd IEEE International Conference on Information Management and Engineering.

[4]  S. Panigrahi,et al.  Prevention of SQL Injection attack using query transformation and hashing , 2013, 2013 3rd IEEE International Advance Computing Conference (IACC).

[5]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[6]  Suraj C. Kothari,et al.  Preventing SQL injection attacks in stored procedures , 2006, Australian Software Engineering Conference (ASWEC'06).

[7]  Nahid Shahmehri,et al.  Unified modeling of attacks, vulnerabilities and security activities , 2010, SESS '10.

[8]  Mei Junjin,et al.  An Approach for SQL Injection Vulnerability Detection , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[9]  Wei Tian,et al.  Attack Model Based Penetration Test for SQL Injection Vulnerability , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference Workshops.

[10]  G. Aghila,et al.  Combinatorial Approach for Preventing SQL Injection Attacks , 2009, 2009 IEEE International Advance Computing Conference.

[11]  Al-Sakib Khan Pathan,et al.  A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques , 2011, 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE).

[12]  Lwin Khin Shar,et al.  Mining input sanitization patterns for predicting SQL injection and cross site scripting vulnerabilities , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[13]  A. Tajpour,et al.  Comparison of SQL injection detection and prevention techniques , 2010, 2010 2nd International Conference on Education Technology and Computer.

[14]  Vadim Okun,et al.  Building a Test Suite for Web Application Scanners , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).