Skip to main content

SQL Injection Attack Mechanisms and Prevention Techniques

  • Conference paper
Advanced Computing, Networking and Security (ADCONS 2011)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 7135))

Abstract

SQL Injection Attacks have been around for over a decade and yet most web applications being deployed today are vulnerable to it. The bottom line is that the web has made it easy for new developers to develop web applications without concerning themselves with the security flaws, and that SQL Injection is thought to be a simple problem with a very simple remedy. To truly bring security to the masses, we propose a classification that not only enumerates but also categorizes the various attack methodologies, and also the testing frameworks and prevention mechanisms. We intend our classification to help understand the state of the art on both sides of the fields to lay the groundwork for all future work in this area.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Power, R.: 2002 csi/fbi computer crime and security survey. Computer Security Issues & Trends 8, 1–22 (2002)

    Google Scholar 

  2. OWASP, Owasp 2010: Owasp top 10 - 2010, The Open Web Application Security Project Top 10 (2010)

    Google Scholar 

  3. Anley, C.: Advanced sql injection in sql server applications. NGS Software Insight Security Research Publication (2002)

    Google Scholar 

  4. Halfond, W.G.J., Veigas, J., Orso, A.: A classification of sql injection attacks. In: IEEE International Symposium on Secure Software Engineering, ISSSE (2006)

    Google Scholar 

  5. Sun, S.-T., Wei, T.H., Liu, S., Lau, S.: Classification of sql injection attacks. University of British Columbia, Term Project (2007)

    Google Scholar 

  6. Aich, D.: Secure query processing by blocking sql injection. Master’s thesis, National Institute of Technology Rourkela (2009)

    Google Scholar 

  7. Kornbrust, A.: Sql injection. Red Database Security GmbH (2009)

    Google Scholar 

  8. McCray, J.: Advanced sql injection. In: DEFCON Hacking Conference (2009)

    Google Scholar 

  9. Kothari, S.C.: Web applications security: Sql injection attack. Electrical and Computer Engineering Department, Iowa State University, USA (2006)

    Google Scholar 

  10. Anley, C. (more) advanced sql injection. NGS Software Insight Security Research Publication (2002)

    Google Scholar 

  11. Shin, Y., Williams, L., Xie, T.: Sqlunitgen: Sql injection testing using static and dynamic analysis. In: 17th IEEE International Conference on Software Reliability Engineering, ISSRE 2006 (2006)

    Google Scholar 

  12. Lam, M.S., Whaley, J., Livshits, V.B., Martin, M.C., Avots, D., Carbin, M., Unkel, C.: Context-sensitive program analysis as database queries. In: Symposium on Principles of Database Systems, PODS (2005)

    Google Scholar 

  13. Fu, X., Lu, X., Peltsverger, B., Chen, S., Qian, K., Tao, L.: A static analysis framework for detecting sql injection vulnerabilities. In: 31st Annual International Computer Software and Applications Conference, COMPSAC (2007)

    Google Scholar 

  14. Oracle, How to write injection proof pl/sql (2008), http://www.oracle.com/technology/tech/plsql/pdf/howtowriteinjectionproofplsql.pdf

  15. Bravenboer, M., Dolstra, E., Visser, E.: Preventing injection attacks with syntax embeddings. Delft University of Technology, Software Engineering Research Group Technical Report, Tech. Rep. (2007)

    Google Scholar 

  16. McClure, R., Krger, I.H.: Sql dom: Compile time checking of dynamic sql statements. In: 27th IEEE International Conference on Software Engineering, pp. 88–96 (2005)

    Google Scholar 

  17. Janot, E., Zavarsky, P.: Preventing sql injections in online applications: Study, recommendations and java solutions prototype based on the sqldom. In: OWASP App. Sec. Conference (2008)

    Google Scholar 

  18. Hafiz, M., Adamczyk, P., Johnson, R.: Systematically Eradicating Data Injection Attacks Using Security-Oriented Program Transformations. In: Massacci, F., Redwine Jr., S.T., Zannone, N. (eds.) ESSoS 2009. LNCS, vol. 5429, pp. 75–90. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  19. Wagner, P.J.: Database system security. In: University of Minnesota Summer School for Information Assurance, UMSSIA (2008)

    Google Scholar 

  20. Rietta, F.S.: Application layer intrusion detection for sql injection. In: ACM Southeast Conference, ASE 2006 (2006)

    Google Scholar 

  21. Torrano-Giminez, C., Perez-Villegas, A., Alvarez, G.: An anomaly-based approach for intrusion detection in web traffic. Journal of Information Assurance and Security 5, 446–454 (2010)

    Google Scholar 

  22. Bandhakavi, S., Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: Preventing sql injection attacks using dynamic candidate evaluations. In: Computer and Communication Security, CCS 2007 (2007)

    Google Scholar 

  23. Garcia-Teodoro, P., Diaz-Verdeji, J., Macia-Fernandez, G., Vazquez, E.: Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security 28, 18–28 (2009)

    Article  Google Scholar 

  24. Kemalis, K., Tzouramanis, T.: Sql-ids: A specification-based approach for sql-injection detection. In: ACM Symposium on Applied Computing, SAC 2008 (2008)

    Google Scholar 

  25. Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent sql injection attacks. In: 5th International Workshop on Software Engineering and Middleware, SEM 2005 (2005)

    Google Scholar 

  26. Bockermann, C., Apel, M., Meier, M.: Learning SQL for Database Intrusion Detection Using Context-Sensitive Modelling (Extended Abstract). In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 196–205. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  27. Halfond, W.G.J., Orso, A.: Amnesia: Analysis and monitoring for neutralizing sql injection attacks. In: 20th IEEE/ACM International Conference on Automated Software Engineering, ASE 2005 (2005)

    Google Scholar 

  28. Halfond, W.G.J., Orso, A.: Combining static analysis and runtime monitoring to counter sql-injection attacks. In: Third International ICSE Workshop on Dynamic Analysis, WODA 2005 (2005)

    Google Scholar 

  29. Palit, J.K.: Master’s thesis, National Institute of Technology Karnataka, Surathkal, India (2010)

    Google Scholar 

  30. Livshits, B.: Improving software security with precise static and runtime analysis. Ph.D. dissertation, Department of Computer Science, Stanford (2006)

    Google Scholar 

  31. Bolzoni, D., Etalle, S., Hartel, P.H.: Panacea: Automating Attack Classification for Anomaly-Based Network Intrusion Detection Systems. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 1–20. Springer, Heidelberg (2009)

    Google Scholar 

  32. Kirda, E.: Wombat: D12 (d5.1) root causes analysis. 7th Framework Program: Theme ICT-1-1.4 (Secure, Dependable and Trusted infrastructures) (2005)

    Google Scholar 

  33. Ali, S., Rauf, A., Javed, H.: Sqlipa: An authentication mechanism against sql injection. European Journal of Scientific Research 38(4), 604–611 (2009)

    Google Scholar 

  34. Guide to php security, http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf

  35. Pachauri, A.: Tcp/ip malicious packet detection (sql injection detection). Master’s thesis, Napier University, Edinburgh (2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chandrashekhar, R., Mardithaya, M., Thilagam, S., Saha, D. (2012). SQL Injection Attack Mechanisms and Prevention Techniques. In: Thilagam, P.S., Pais, A.R., Chandrasekaran, K., Balakrishnan, N. (eds) Advanced Computing, Networking and Security. ADCONS 2011. Lecture Notes in Computer Science, vol 7135. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29280-4_61

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29280-4_61

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29279-8

  • Online ISBN: 978-3-642-29280-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics