Abstract
SQL injection refers to one of the types of database attacks for web applications. The database security is compromised when wild card characters, malicious code, or malicious SQL query string are injected into the database. These changes in syntax and semantic allow the attacker to gain access to sensitive information and manipulate the database. Various techniques have been developed to detect and prevent this type of attacks. In this article, we proposed an method for preventing and detecting SQL injection. This method manipulates the SQL query input parameters and determining the distance between query strings. This method satisfies static query and dynamic also.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Anley, C.: Advanced SQL Injection In SQL Server Applications. Next Generation Security Software Ltd, White Paper (2002)
Boyd, S.W., Keromytis, A.D.: SQLrand: preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24852-1_21
Gould, C., Su, Z., Devanbu, P.: JDBC checker: a static analysis tool for SQL/JDBC applications. In: Proceedings of the 26th International Conference on Software Engineering (ICSE), pp. 697–698 (2004)
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.T., Kuo, S.-Y.: Securing Web application code by static analysis and runtime protection. In: Proceedings of the 12th International World Wide Web Conference (WWW 2004), pp. 40–52 (2004)
Halfond, W.G., Orso, A.: AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks. In: ACM, ASE 2005, November 7–11 (2005)
Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent SQL injection attacks. In: Proceeding of the 5th International Workshop on Software Engineering and Middleware, pp. 106–113 ACM (2005)
McClure, R., Krger, I.: SQL DOM: compile time checking of dynamic SQL statements. In: Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), pp. 88–96 (2005)
Buehrer, G., Weide, B.W., Sivilotti, P.A.: Using parse tree validation to prevent SQL InjectionAttacks, SEM 2005. In: Proceedings of the 5th international workshop on Software engineering and middleware, pp. 106–113 (2005)
Halfond, W.G., Orso, A., Manolios, P.: Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In: ACM-SIGSOFT, pp. 175–185 (2006)
Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 372–382 (2006)
Rietta, F.S.: Application layer intrusion detection for SQL injection, ACM-SE 44. In: Proceedings of the 44th annual Southeast regional conference, pp. 531–536 (2006)
Wei, K., Muthuprasanna, M., Kothari, S.: Preventing SQL injection attacks in stored procedurce. In: Software Engineering Conference, pp. 18–21 (2006)
Kosuga, Y., Kono, K., Hanaoka, M., Hishiyama, M., Takahama, Y.: Syntactic and semantic analysis for automated testing against SQL injection. In: Proceedings of the Computer Security Application Conference, pp. 107–117 (2007)
Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: CANDID: preventing SQL injection attacks using dynamic candidate evaluations. In: Proceedings of the Computer Security Application Conference, pp. 12–24 (2007)
Rawat, R., Dangi, C.S., Patil, J.: Safe guards anomalies against SQL injection attacks. Int. J. Comput. Appl. 22(2), 11–14 (2011)
Das, D., Sharma, U., Bhattacharyya, D.K.: An approach to detection of SQL injection attack based on dynamic query matching. Int. J. Comput. Appl. 127(14), 15–24 (2010)
Ciampa, A., Visaggio, C.A., Di Penta, M.: A heuristic-based approach for detecting SQL-injection vulnerabilities in Web applications. In: SESS 2010: Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, pp. 43–49 (2010)
Lee, I., Jeong, S., Yeo, S., Moon, J.: Novel method for SQL injection attack detection based on removing SQL query attribute values. Math. Comput. Model. 55(1–2), 58–68 (2012)
Kar, D., Panigrahi, S., Sundararajan, S.: SQLiGoT: detecting SQL injection attacks using graph of tokens and SVM. Comput. Secur. 60, 206–225 (2016)
Li, Q., Wang, F., Wang, J., Li, W.: LSTM-based SQL injection detection method for intelligent transportation system. IEEE Trans. Veh. Technol. 68(5), 4182–4191 (2019)
Gu, H., et al.: DIAVA: a traffic-based framework for detection of SQL injection attacks and vulnerability analysis of leaked data. IEEE Trans. Reliab. 69(1), 188–202 (2020)
Liu, M., Li, K., Chen, T.: DeepSQLi: deep semantic learning for testing SQL injection, ISSTA 2020. In: Proceedings of the 29th ACM SIGSOFT, pp. 286–297 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Mahesh, R., Chellathurai, S., Thirunavukkarasu, M., Raman, P. (2024). SQL Injection Attack Detection and Prevention Based on Manipulating the SQL Query Input Attributes. In: Aurelia, S., J., C., Immanuel, A., Mani, J., Padmanabha, V. (eds) Computational Sciences and Sustainable Technologies. ICCSST 2023. Communications in Computer and Information Science, vol 1973. Springer, Cham. https://doi.org/10.1007/978-3-031-50993-3_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-50993-3_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-50992-6
Online ISBN: 978-3-031-50993-3
eBook Packages: Computer ScienceComputer Science (R0)