Injection, Detection, Prevention of SQL Injection Attacks

Abstract

In today's era, Web applications play a very great role in individual life as well as in the development of the any country. The use of web application has become raisingly popular in our daily life as reading newspaper, making online payments for shopping etc. A SQL injection attack imposes a serious threat to the insurance of web applications because they may give attackers unrestricted access to databases that contain sensitive information. This paper gives an overview to the SQL Injection attacks (SQLIA) and methods how to prevent them. We will discuss all the proposed models to stop SQL Injections. In this paper we present a detail on numerous types of SQL injection attacks and prevention technique for web application. We also describes the technique to prevent injections attacks occurring due to dynamic SQL statements in database stored procedures, which are often used in e-commerce applications. Along with presenting our findings from the study, we also note down future expectations and possible development of countermeasures against SQL Injection attacks. KEYWORDS— SQL Injection, database security, stored procedures. INTRODUCTION Web applications are often vulnerable for attackers that can be easily accessed to the application's underlying database. SQL injection attacks occurs only when a malicious user causes a web application to generate and send a query that functions differently than the programmer intended. A SQL injection takes place when the application fails to properly sanitizing the user supplied input used in SQL queries. An attacker can manipulate the SQL statement which is passed at the backend of database management system. This statement runs with the same permissions as the application that executing the query. From now on it will be referred as session user. Modern database management systems are the most powerful applications. They usually provide built-in instruments to interact with the operating system. However, when they are absent, a motivated attacker will still access the system and execute arbitrary commands on the underlying system, this research will walk through how it can be achieved via SQL injection vulnerability, focusing on web-based applications.