SQL Injection Detection and Prevention Using Input Filter Technique

SQL injection attacks, a class of injection flaw in which specially crafted input strings leads to illegal queries to databases, are one of the topmost threats to web applications. A number of research prototypes and commercial products that maintain the queries structure in web applications have been developed. But these techniques either fail to address the full scope of the problem or have limitations. Based on our observation that the injected string in a SQL injection attack is interpreted differently on different databases, in this paper, we propose a novel and effective solution to solve this problem. It has been proposed to detect various types of SQLIA. This method checks the attribute value for single quote, double dash and space provided by the user through the input fields. When attacker is making SQL injection he should probably use a space, single quotes or double dashes in his input. Depending on the no of space, double dash and single quote the count value of the input field (having default count as1) will get increased by 1 respectively. The fixed count value and the dynamically generated count value of the input parameters are then compared. If both the count values are same, there is no SQLIA and if they vary that means some SQL code has been injected through the input fields. Finally such attempt will be recorded separately and will be blocked to access the database.

[1]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[2]  Coniferous softwood GENERAL TERMS , 2003 .

[3]  Giovanni Vigna,et al.  A Learning-Based Approach to the Detection of SQL Attacks , 2005, DIMVA.

[4]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[5]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[6]  Zhendong Su,et al.  An Analysis Framework for Security in Web Applications , 2004 .

[7]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[8]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[9]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[10]  Jae-Chul Park,et al.  SQL Injection Attack Detection: Profiling of Web Application Parameter Using the Sequence Pairwise Alignment , 2006, WISA.

[11]  Angelos D. Keromytis,et al.  SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.

[12]  Suraj C. Kothari,et al.  Preventing SQL injection attacks in stored procedures , 2006, Australian Software Engineering Conference (ASWEC'06).

[13]  Shih-Kun Huang,et al.  Web application security assessment by fault injection and behavior monitoring , 2003, WWW '03.