Skip to main content
SpringerLink
Log in

Developer-Proof Prevention of SQL Injections

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12637))

Included in the following conference series:

Abstract

SQL queries, when written by unskilled or hurried developers for web applications, are prone to SQL injections. We propose an alternative approach for querying SQL databases that does not suffer from this flaw. Our approach is based on abstract syntax trees, lets developers build dynamic queries easily, and is easier to set up than an ORM tool. We provide a proof-of-concept in Java, but our approach can be extended to other languages.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Hibernate project. http://hibernate.org/

  2. jOOQ website. https://www.jooq.org/

  3. Querydsl website. http://www.querydsl.com/

  4. Ahmad, K., Shekhar, J., Yadav, K.: Classification of SQL injection attacks. VSRD Tech. Non-Techn. J. I(4), 235ā€“242 (2010)

    Google ScholarĀ 

  5. Bergmann, S., Blankerts, A., Priebsch, S.: Why magic quotes are gone in PHP 7, August 2017. https://thephp.cc/news/2017/08/why-magic-quotes-are-gone-in-php7

  6. Buehrer, G.T., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the International Workshop on Software Engineering and Middleware (SEM) at Joint FSE and ESEC, pp. 106ā€“113 (2005)

    Google ScholarĀ 

  7. Courant, J.: Sqltrees: a secure, developper-proof, java library for querying SQL databases (2020). https://github.com/Orange-Cyberdefense/sqltrees

  8. Dahse, J., Holz, T.: Static detection of second-order vulnerabilities in web applications. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20ā€“22 August 2014, pp. 989ā€“1003. USENIX Association (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/dahse

  9. Eder, L.: Never concatenate strings with jOOQ. jOOQ blog, March 2020. https://blog.jooq.org/2020/03/04/never-concatenate-strings-with-jooq/

  10. Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley Professional Computing Series, Pearson Education (1994)

    Google ScholarĀ 

  11. Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the International Symposium on Secure Software Engineering, Washington, D.C., USA, March 2006

    Google ScholarĀ 

  12. Karwin, B.: SQL injection myths and fallacies (2012). https://www.percona.com/sites/default/files/WEBINAR-SQL-Injection-Myths.pdf

  13. Luo, Z., Rezk, T., Serrano, M.: Automated code injection prevention for web applications. In: Mƶdersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 186ā€“204. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27375-9_11

    ChapterĀ  Google ScholarĀ 

  14. McClure, R.A., Kruger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: Proceedings. 27th International Conference on Software Engineering, ICSE 2005, pp. 88ā€“96 (2005)

    Google ScholarĀ 

  15. Milner, R.: A theory of type polymorphism in programming. J. Comput. Syst. Sci. 17, 348ā€“375 (1978)

    ArticleĀ  MathSciNetĀ  Google ScholarĀ 

  16. OWASP project: SQL injection prevention cheat sheet (2020). https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

  17. Puppy, R.F.: NT web technology vulnerabilities. Phrack Mag. 8(54) (1998). http://phrack.org/issues/54/8.html

  18. van der Stock, A., Glass, B., Smithline, N., Gigler, T.: OWASP Top 10 (2017). https://web.archive.org/web/20200406122129/owasp.org/www-pdf-archive/OWASP_Top_10-2017_(en).pdf.pdf

  19. Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Morrisett, J.G., Jones, S.L.P. (eds.) Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2006, Charleston, South Carolina, USA, pp. 372ā€“382. ACM (2006). https://doi.org/10.1145/1111037.1111070

  20. Sun, S.T., Wei, T.H., Liu, S., Lau, S.: Classification of SQL injection attacks. University of Columbia, Term Project (2007). https://courses.ece.ubc.ca/cpen442/term_project/reports/2007-fall/Classification_of_SQL_Injection_Attacks.pdf

  21. Wikipedia, The Free Encyclopedia: Embedded SQL, March 2020

    Google ScholarĀ 

  22. Wikipedia, The Free Encyclopedia: SQL Reserved Words, March 2020

    Google ScholarĀ 

  23. Wikipedia, The Free Encyclopedia: SQLJ, March 2020

    Google ScholarĀ 

  24. Wall, K., Seil, M.: The OWASP enterprise security API. https://web.archive.org/web/20200331100823/owasp.org/www-project-enterprise-security-api/

Download references

Acknowledgments

Claire Vacherot and the anonymous referees provided valuable feedback that helped improve the article.

Author information

Authors and Affiliations

  1. Orange Cyberdefense, Lyon, France

    Judicaƫl Courant

Authors
  1. Judicaƫl Courant
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

Corresponding author

Correspondence to Judicaƫl Courant .

Editor information

Editors and Affiliations

  1. Polytechnique MontrƩal, MontrƩal, QC, Canada

    Gabriela Nicolescu

  2. CEA-Leti Technology Research Institute, Grenoble, France

    Assia Tria

  3. Polytechnique MontrƩal, MontrƩal, QC, Canada

    JosƩ M. Fernandez

  4. University of Lorraine, Vandœuvre lĆØs Nancy, France

    Jean-Yves Marion

  5. TƩlƩcom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

Ā© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Courant, J. (2021). Developer-Proof Prevention of SQL Injections. In: Nicolescu, G., Tria, A., Fernandez, J.M., Marion, JY., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2020. Lecture Notes in Computer Science(), vol 12637. Springer, Cham. https://doi.org/10.1007/978-3-030-70881-8_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-70881-8_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-70880-1

  • Online ISBN: 978-3-030-70881-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation