A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques

In this paper, we present a detailed review on various types of SQL injection attacks, vulnerabilities, and prevention techniques. Alongside presenting our findings from the survey, we also note down future expectations and possible development of countermeasures against SQL injection attacks.

[1]  Tao Xie,et al.  SQLUnitGen: Test Case Generation for SQL Injection Detection , 2006 .

[2]  Marco Vieira,et al.  Looking at Web Security Vulnerabilities from the Programming Language Perspective: A Field Study , 2009, 2009 20th International Symposium on Software Reliability Engineering.

[3]  Samik Basu,et al.  Analysis & Detection of SQL Injection Vulnerabilities via Automatic Test Case Generation of Programs , 2010, 2010 10th IEEE/IPSJ International Symposium on Applications and the Internet.

[4]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[5]  Saghar Khadem,et al.  A survey of SQL injection defense mechanisms , 2009, 2009 International Conference for Internet Technology and Secured Transactions, (ICITST).

[6]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[7]  Peter Liggesmeyer,et al.  Software Engineering 2005 , 2005 .

[8]  Xiang Fu,et al.  A Static Analysis Framework For Detecting SQL Injection Vulnerabilities , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[9]  Richard A. Baker,et al.  Code Reviews Enhance Software Quality , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[10]  M. Masrom,et al.  SQL injection detection and prevention tools assessment , 2010, 2010 3rd International Conference on Computer Science and Information Technology.

[11]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[12]  Ehud Gudes,et al.  DIWeDa - Detecting Intrusions in Web Databases , 2008, DBSec.

[13]  Laurie A. Williams,et al.  On automated prepared statement generation to remove SQL injection vulnerabilities , 2009, Inf. Softw. Technol..

[14]  Mei Junjin,et al.  An Approach for SQL Injection Vulnerability Detection , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[15]  Ehud Gudes,et al.  Fine-grained access control to web databases , 2007, SACMAT '07.

[16]  V. N. Venkatakrishnan,et al.  CANDID: Dynamic candidate evaluations for automatic prevention of SQL injection attacks , 2010, TSEC.

[17]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[18]  Nan Zhihong,et al.  A database security testing scheme of web application , 2009, 2009 4th International Conference on Computer Science & Education.

[19]  Konstantinos Kemalis,et al.  SQL-IDS: a specification-based approach for SQL-injection detection , 2008, SAC '08.

[20]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[21]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[22]  Mukerrem Cakmak,et al.  North Carolina State Univ , 1997 .

[23]  Atefeh Tajpour,et al.  Evaluation of SQL Injection Detection and Prevention Techniques , 2010, 2010 2nd International Conference on Computational Intelligence, Communication Systems and Networks.