Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security Aspects in Information Technology

InfoSecHiComNet 2011: Security Aspects in Information Technology pp 3–15Cite as

Model Based Hybrid Approach to Prevent SQL Injection Attacks in PHP

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7011))

Abstract

SQL Injection vulnerability is ranked 1st in the OWASP top 10 vulnerability list and has resulted in massive attacks on a number of websites in the past few years. Inspite of preventive measures like educating developers about safe coding practices, statistics shows that these vulnerabilities are still dominating the top. Various static and dynamic approaches have been proposed to mitigate this vulnerability. In this paper, we present a hybrid approach to prevent SQL injection attacks in PHP, a popular server side scripting language. This technique is more effective to prevent SQL injection attack in a dynamic web content environment without use of complex string analyzer logic. Initially, we construct a Query model for each hotspot by running the application in safe mode. In the production environment, dynamically generated queries are validated with it. The results and analysis shows the proposed approach is simple and effective to prevent common SQL injection vulnerabilities.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Halfond, W.G., Orso, A.: Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In: Proc. of the Third Intern. ICSE Workshop on Dynamic Analysis (WODA 2005), pp. 22–28 (May 2005)

    Google Scholar 

  2. Halfond, W., Orso, A.: AMNESIA: Analysis and Monitoring for NEutralizing SQL Injection Attacks. In: Proc. 20th IEEE and ACM Int’l Conf. Automated Software Eng., pp. 174–183 (2005)

    Google Scholar 

  3. Halfond, W.G., Orso, A.: Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks. In: Proceedings of the Third International ICSE Workshop on Dynamic Analysis (WODA 2005), St. Louis, MO, USA, pp. 22–28 (May 2005)

    Google Scholar 

  4. Boyd, S.W., Keromytis, A.D.: SQLrand: Preventing SQL injection attacks. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 292–302. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  5. Buehrer, G.T., Weide, B.W., Sivilotti, P.A.G.: Using Parse Tree Validation to Prevent SQL Injection Attacks. In: International Workshop on Software Engineering and Middleware, SEM (2005)

    Google Scholar 

  6. Su, Z., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: The 33rd Annual Symposium on Principles of Programming Languages, POPL 2006 (January 2006)

    Google Scholar 

  7. McClure, R., Kruger, I.: SQL DOM: Compile Time Checking of Dynamic SQL Statements. In: Proceedings of the 27th International Conference on Software Engineering (ICSE 2005), pp. 88–96 (2005)

    Google Scholar 

  8. Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise Analysis of String Expressions. In: Cousot, R. (ed.) SAS 2003. LNCS, vol. 2694, pp. 1–18. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  9. Gould, C., Su, Z., Devanbu, P.: JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications. In: Proceedings of the 26th International Conference on Software Engineering (ICSE 2004) Formal Demos, pp. 697–698 (2004)

    Google Scholar 

  10. Monticelli, F.: PhD SQLPrevent thesis. University of British Columbia (UBC) Vancouver, Canada (2008)

    Google Scholar 

  11. Owasp, O. W.: Top ten most critical web application vulnerabilities (2010), http://www.owasp.org/index.php/Top_10_2010-Main

  12. PHP usage statistics, http://www.php.net/usage.php

  13. Wikipedia, http://en.wikipedia.org/wiki/PHP

  14. System Administration, Networking, and Security Institute (SANS), http://www.sans.org/

  15. Cook, W.R., Rai, S.: Safe Query Objects: Statically Typed Objects as Remotely Executable Queries. In: Proc. 27th Intl Conf. Software Eng., pp. 97–106 (May 2005)

    Google Scholar 

  16. Amirtahmasebi, K., et al.: A survey of SQL injection defense mechanisms. In: Int. Conf. for Internet Technology and Secured Trans., ICITST 2009, pp. 1–8 (November 2009)

    Google Scholar 

  17. PHP Open source web applications, http://www.goto.com

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, National Institute of Technology Karnataka, Surathkal, 575025, India

    Kunal Sadalkar, Radhesh Mohandas & Alwyn R. Pais

Authors
  1. Kunal Sadalkar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Radhesh Mohandas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alwyn R. Pais
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Technicolor, Security & Content Protection Labs, 1 avenue de Belle Fontaine, 35576, Cesson-Sévigné Cedex, France

    Marc Joye

  2. Department of Computer Science and Engineering, Indian Institute of Technology, 721302, Kharagpur, West Bengal, India

    Debdeep Mukhopadhyay

  3. Department of Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, BS8 1UB, Bristol, UK

    Michael Tunstall

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sadalkar, K., Mohandas, R., Pais, A.R. (2011). Model Based Hybrid Approach to Prevent SQL Injection Attacks in PHP. In: Joye, M., Mukhopadhyay, D., Tunstall, M. (eds) Security Aspects in Information Technology. InfoSecHiComNet 2011. Lecture Notes in Computer Science, vol 7011. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24586-2_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-24586-2_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-24585-5

  • Online ISBN: 978-3-642-24586-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation