Abstract
SQL Injection vulnerability is ranked 1st in the OWASP top 10 vulnerability list and has resulted in massive attacks on a number of websites in the past few years. Inspite of preventive measures like educating developers about safe coding practices, statistics shows that these vulnerabilities are still dominating the top. Various static and dynamic approaches have been proposed to mitigate this vulnerability. In this paper, we present a hybrid approach to prevent SQL injection attacks in PHP, a popular server side scripting language. This technique is more effective to prevent SQL injection attack in a dynamic web content environment without use of complex string analyzer logic. Initially, we construct a Query model for each hotspot by running the application in safe mode. In the production environment, dynamically generated queries are validated with it. The results and analysis shows the proposed approach is simple and effective to prevent common SQL injection vulnerabilities.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Halfond, W.G., Orso, A.: Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In: Proc. of the Third Intern. ICSE Workshop on Dynamic Analysis (WODA 2005), pp. 22–28 (May 2005)
Halfond, W., Orso, A.: AMNESIA: Analysis and Monitoring for NEutralizing SQL Injection Attacks. In: Proc. 20th IEEE and ACM Int’l Conf. Automated Software Eng., pp. 174–183 (2005)
Halfond, W.G., Orso, A.: Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In: Proceedings of the Third International ICSE Workshop on Dynamic Analysis (WODA 2005), St. Louis, MO, USA, pp. 22–28 (May 2005)
Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)
Buehrer, G.T., Weide, B.W., Sivilotti, P.A.G.: Using Parse Tree Validation to Prevent SQL Injection Attacks. In: International Workshop on Software Engineering and Middleware, SEM (2005)
Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: The 33rd Annual Symposium on Principles of Programming Languages, POPL 2006 (January 2006)
McClure, R., Kruger, I.: SQL DOM: Compile Time Checking of Dynamic SQL Statements. In: Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), pp. 88–96 (2005)
Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise Analysis of String Expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)
Gould, C., Su, Z., Devanbu, P.: JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications. In: Proceedings of the 26th International Conference on Software Engineering (ICSE 2004) Formal Demos, pp. 697–698 (2004)
Monticelli, F.: PhD SQLPrevent thesis. University of British Columbia (UBC) Vancouver, Canada (2008)
Owasp, O. W.: Top ten most critical web application vulnerabilities (2010), http://www.owasp.org/index.php/Top_10_2010-Main
PHP usage statistics, http://www.php.net/usage.php
Wikipedia, http://en.wikipedia.org/wiki/PHP
System Administration, Networking, and Security Institute (SANS), http://www.sans.org/
Cook, W.R., Rai, S.: Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In: Proc. 27th Intl Conf. Software Eng., pp. 97–106 (May 2005)
Amirtahmasebi, K., et al.: A survey of SQL injection defense mechanisms. In: Int. Conf. for Internet Technology and Secured Trans., ICITST 2009, pp. 1–8 (November 2009)
PHP Open source web applications, http://www.goto.com
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Sadalkar, K., Mohandas, R., Pais, A.R. (2011). Model Based Hybrid Approach to Prevent SQL Injection Attacks in PHP. In: Joye, M., Mukhopadhyay, D., Tunstall, M. (eds) Security Aspects in Information Technology. InfoSecHiComNet 2011. Lecture Notes in Computer Science, vol 7011. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24586-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-24586-2_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24585-5
Online ISBN: 978-3-642-24586-2
eBook Packages: Computer ScienceComputer Science (R0)