Prevention of SQL Injection Using a Comprehensive Input Sanitization Methodology

Abstract

Databases are essential to modern-day web applications. Structured Query Language (SQL) used to retrieve information from relational database is prone to injection attack by a malicious user. Losing access to application database destroys all credibility for the organization. Mitigating against SQL injection attacks is a critical concern. This paper proposes a methodology for the safe flow of SQL query from the user layer to the database layer. The proposed methodology uses the process of client-side input sanitization to validate user input before a dynamic SQL query is constructed. On the server-side, another process provides server-side query sanitization to ensure a full-proof validation of the SQL query before it is run on the database. The client-side input sanitization process is presented in the paper. On comparison with related methodologies, the proposed methodology is robust, lightweight, and fast.