Web applications have gained an enormous increase in popularity for providing various facilities online, such as e-shopping, e-banking, e-ticketing, e-learning etc. As the use of web applications grow, there is an increase in the attacks on web applications as well. Among these attacking techniques, SQL Injection has been emerging as one of the most dangerous threats to web applications. SQL Injection technique is mostly an attack on data driven web applications. By providing especially built user input through the web form fields, the attacker can access and modify the contents of the underlying database of a web application. This research work presents a technique, which will be used for the detection and prevention from SQL Injection. The parameterized cursor is used to implement the concept. The user session information will be passed as a parameter to cursor. If the user is an authorized user then the cursor will fetch the desired tuples else will fail to execute. This research work can easily be adopted and implemented in any platform and database. An example application is developed in Oracle Internet Developer suite 10g and Oracle Database 10g to test the performance against SQL Injection.
[1]
Ehud Gudes,et al.
Fine-grained access control to web databases
,
2007,
SACMAT '07.
[2]
Alessandro Orso,et al.
Combining static analysis and runtime monitoring to counter SQL-injection attacks
,
2005,
ACM SIGSOFT Softw. Eng. Notes.
[3]
Xiao Zhang,et al.
Hardware counter driven on-the-fly request signatures
,
2008,
ASPLOS.
[4]
Zhendong Su,et al.
The essence of command injection attacks in web applications
,
2006,
POPL '06.
[5]
Konstantinos Kemalis,et al.
SQL-IDS: a specification-based approach for SQL-injection detection
,
2008,
SAC '08.
[6]
Alessandro Orso,et al.
A Classification of SQL Injection Attacks and Countermeasures
,
2006,
ISSSE.
[7]
A B S T R.
Preventing Injection Attacks with Syntax Embeddings
,
.
[8]
Alessandro Orso,et al.
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
,
2005,
ASE.
[9]
Bruce W. Weide,et al.
Using parse tree validation to prevent SQL injection attacks
,
2005,
SEM '05.