Abstract
SQL queries, when written by unskilled or hurried developers for web applications, are prone to SQL injections. We propose an alternative approach for querying SQL databases that does not suffer from this flaw. Our approach is based on abstract syntax trees, lets developers build dynamic queries easily, and is easier to set up than an ORM tool. We provide a proof-of-concept in Java, but our approach can be extended to other languages.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Hibernate project. http://hibernate.org/
jOOQ website. https://www.jooq.org/
Querydsl website. http://www.querydsl.com/
Ahmad, K., Shekhar, J., Yadav, K.: Classification of SQL injection attacks. VSRD Tech. Non-Techn. J. I(4), 235ā242 (2010)
Bergmann, S., Blankerts, A., Priebsch, S.: Why magic quotes are gone in PHP 7, August 2017. https://thephp.cc/news/2017/08/why-magic-quotes-are-gone-in-php7
Buehrer, G.T., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: Proceedings of the International Workshop on Software Engineering and Middleware (SEM) at Joint FSE and ESEC, pp. 106ā113 (2005)
Courant, J.: Sqltrees: a secure, developper-proof, java library for querying SQL databases (2020). https://github.com/Orange-Cyberdefense/sqltrees
Dahse, J., Holz, T.: Static detection of second-order vulnerabilities in web applications. In: Fu, K., Jung, J. (eds.) Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, 20ā22 August 2014, pp. 989ā1003. USENIX Association (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/dahse
Eder, L.: Never concatenate strings with jOOQ. jOOQ blog, March 2020. https://blog.jooq.org/2020/03/04/never-concatenate-strings-with-jooq/
Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-Oriented Software. Addison-Wesley Professional Computing Series, Pearson Education (1994)
Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the International Symposium on Secure Software Engineering, Washington, D.C., USA, March 2006
Karwin, B.: SQL injection myths and fallacies (2012). https://www.percona.com/sites/default/files/WEBINAR-SQL-Injection-Myths.pdf
Luo, Z., Rezk, T., Serrano, M.: Automated code injection prevention for web applications. In: Mƶdersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 186ā204. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27375-9_11
McClure, R.A., Kruger, I.H.: SQL DOM: compile time checking of dynamic SQL statements. In: Proceedings. 27th International Conference on Software Engineering, ICSE 2005, pp. 88ā96 (2005)
Milner, R.: A theory of type polymorphism in programming. J. Comput. Syst. Sci. 17, 348ā375 (1978)
OWASP project: SQL injection prevention cheat sheet (2020). https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
Puppy, R.F.: NT web technology vulnerabilities. Phrack Mag. 8(54) (1998). http://phrack.org/issues/54/8.html
van der Stock, A., Glass, B., Smithline, N., Gigler, T.: OWASP Top 10 (2017). https://web.archive.org/web/20200406122129/owasp.org/www-pdf-archive/OWASP_Top_10-2017_(en).pdf.pdf
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Morrisett, J.G., Jones, S.L.P. (eds.) Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2006, Charleston, South Carolina, USA, pp. 372ā382. ACM (2006). https://doi.org/10.1145/1111037.1111070
Sun, S.T., Wei, T.H., Liu, S., Lau, S.: Classification of SQL injection attacks. University of Columbia, Term Project (2007). https://courses.ece.ubc.ca/cpen442/term_project/reports/2007-fall/Classification_of_SQL_Injection_Attacks.pdf
Wikipedia, The Free Encyclopedia: Embedded SQL, March 2020
Wikipedia, The Free Encyclopedia: SQL Reserved Words, March 2020
Wikipedia, The Free Encyclopedia: SQLJ, March 2020
Wall, K., Seil, M.: The OWASP enterprise security API. https://web.archive.org/web/20200331100823/owasp.org/www-project-enterprise-security-api/
Acknowledgments
Claire Vacherot and the anonymous referees provided valuable feedback that helped improve the article.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
Ā© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Courant, J. (2021). Developer-Proof Prevention of SQL Injections. In: Nicolescu, G., Tria, A., Fernandez, J.M., Marion, JY., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2020. Lecture Notes in Computer Science(), vol 12637. Springer, Cham. https://doi.org/10.1007/978-3-030-70881-8_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-70881-8_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-70880-1
Online ISBN: 978-3-030-70881-8
eBook Packages: Computer ScienceComputer Science (R0)