Sqlshield: Preventing SQL injection attacks by modifying user input data

Abstract

SQL injection attacks, a class of code injection attacks, pose a serious threat to web applications. A web server allows users to perform a query in order to get the intended service where the SQL queries containing user inputs are executed by the database server. An attacker can take advantage of this query-response mechanism to inject some characters into the user input based on the attack strategy. This may lead to an SQL injection attack. If an attacker can bypass the SQL injection defense put at the web server, then the attacker can obtain some sensitive information from the database. In this paper, we present a scheme, SQLshield that prevents SQL injection attacks in web applications. SQLshield uses a randomization technique that modifies the user input data before the SQL query is executed at the database server. The randomization technique used in SQLshield modifies the user input data in such a way that the execution of the resultant SQL query does not divert from its programmer-intended execution. We compare SQLshield with other schemes and show that SQLshield performs better than the other approaches used to detect and prevent SQL injection attacks.