SQL Injection Detection and Prevention Using Input Filter Technique

Abstract

-SQL injection attacks, a class of injection flaw in which specially crafted input strings leads to illegal queries to databases, are one of the topmost threats to web applications. A number of research prototypes and commercial products that maintain the queries structure in web applications have been developed. But these techniques either fail to address the full scope of the problem or have limitations. Based on our observation that the injected string in a SQL injection attack is interpreted differently on different databases, in this paper, we propose a novel and effective solution to solve this problem. It has been proposed to detect various types of SQLIA. This method checks the attribute value for single quote, double dash and space provided by the user through the input fields. When attacker is making SQL injection he should probably use a space, single quotes or double dashes in his input. Depending on the no of space, double dash and single quote the count value of the input field (having default count as1) will get increased by 1 respectively. The fixed count value and the dynamically generated count value of the input parameters are then compared. If both the count values are same, there is no SQLIA and if they vary that means some SQL code has been injected through the input fields. Finally such attempt will be recorded separately and will be blocked to access the database.