Open Access Open Access  Restricted Access Subscription Access
Open Access Open Access Open Access  Restricted Access Restricted Access Subscription Access

Combinatorial Approach to Prevent SQL Injection Attack


Affiliations
1 Dept. of Information Technology, Nagpur Institute of Technology, Nagpur, Iceland
2 Dept. of Mechanical Engineering, Nagpur Institute of Technology, Nagpur, India
     

   Subscribe/Renew Journal


As more businesses and organizations provide online services, the number of web sites or applications which are linked to a database has increased greatly. Often the data held in such databases is confidential or private - and possibly of great interest to a hacker, disgruntled employee, or criminal group. While the database and the server holding it may have been secured, the design of the web interface is often overlooked and could allow unauthorized users access to the database. SQL injection, the use of database commands in the SQL language where user input is expected, remains a top threat. It was the 3rd listed error in the January 2009 "CWE/SANS Top 25 Most Dangerous Programming Errors"[a] and has been the mechanism for a number of prevalent attacks. For example, through most of 2008 there were ongoing, indiscriminate and widespread attacks on vulnerable web sites, which added a link to a malicious file (usually JavaScript) that most web site visitors would unintentionally run on loading the page. This then caused the visitor's computer to be infected with malware. Even well-known and widely trusted web sites were affected by this problem. This document will illustrate some of the main techniques used in SQL injection, then describe methods that can reduce the effectiveness of such attacks. In addition to usual standard IT best practice, such as logging and regular and prompt patching, the majority of SQL injection vulnerabilities can be moderated through careful and robust programming. It is hoped that the information provided here will highlight the seriousness of leaving this type of flaw unaddressed and promote the improved design of database-linked Internet resources.
Subscription Login to verify subscription
User
Notifications
Font Size


Abstract Views: 223

PDF Views: 0




  • Combinatorial Approach to Prevent SQL Injection Attack

Abstract Views: 223  |  PDF Views: 0

Authors

Neha Tiwari
Dept. of Information Technology, Nagpur Institute of Technology, Nagpur, Iceland
Praful Daharwal
Dept. of Mechanical Engineering, Nagpur Institute of Technology, Nagpur, India
Samrat Kavishwar
Dept. of Mechanical Engineering, Nagpur Institute of Technology, Nagpur, India

Abstract


As more businesses and organizations provide online services, the number of web sites or applications which are linked to a database has increased greatly. Often the data held in such databases is confidential or private - and possibly of great interest to a hacker, disgruntled employee, or criminal group. While the database and the server holding it may have been secured, the design of the web interface is often overlooked and could allow unauthorized users access to the database. SQL injection, the use of database commands in the SQL language where user input is expected, remains a top threat. It was the 3rd listed error in the January 2009 "CWE/SANS Top 25 Most Dangerous Programming Errors"[a] and has been the mechanism for a number of prevalent attacks. For example, through most of 2008 there were ongoing, indiscriminate and widespread attacks on vulnerable web sites, which added a link to a malicious file (usually JavaScript) that most web site visitors would unintentionally run on loading the page. This then caused the visitor's computer to be infected with malware. Even well-known and widely trusted web sites were affected by this problem. This document will illustrate some of the main techniques used in SQL injection, then describe methods that can reduce the effectiveness of such attacks. In addition to usual standard IT best practice, such as logging and regular and prompt patching, the majority of SQL injection vulnerabilities can be moderated through careful and robust programming. It is hoped that the information provided here will highlight the seriousness of leaving this type of flaw unaddressed and promote the improved design of database-linked Internet resources.