IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.1, January 2011
197
An Approach to Detect and Prevent SQL Injection Attacks in
Database Using Web Service
IndraniBalasundaram 1 Dr. E. Ramaraj2
1
Lecturer, Department of Computer Science, Madurai Kamaraj University, Madurai
2
Director of Computer Centre Alagappa University, Karaikudi.
Abstract
SQL injection is an attack methodology that targets the data residing in a database through the firewall that shields it. The attack takes advantage of poor input validation in code and website administration. SQL Injection Attacks occur when an attacker is able to insert a series of SQL statements in to a
‘query’ by manipulating user input data in
…show more content…
The example refers to a fairly simple vulnerability that could be prevented using a straightforward coding fix. This example is simply used for illustrative purposes because it is easy to understand and general enough to illustrate many different types of attacks. The code in the example uses the input parameters LoginID, password to dynamically build an SQL query and submit it to a database. For example, if a user submits loginID and password as
“secret,” and “123,” the application dynamically builds and submits the query:
Manuscript received January 5, 2011
Manuscript revised January 20, 2011
198
IJCSNS International Journal of Computer Science and Network Security, VOL.11 No.1, January 2011
SELECT * from FROM loginID=’secret’ AND pass1=123
user_info
WHERE
If the loginID and password match the corresponding entry in the database, it will be redirect to user_main.aspx page other wise it will be redirect to error.aspx page.
1. dim loginId, Password as string
2. loginId = Text1.Text
3. password = Text2.Text
3. cn.open()
4. qry=”select * from user_info where LoginID=’” & loginID & “’ and pass1=” & password & “”
5. cmd=new sqlcommand(qry,cn)
6. rd=cmd.executereader()
7. if (rd.Read=True) Then
8. Response.redirect(“user_main.aspx”)
9. else
10.
Our data is never at rest. Even when organizations depend on their database for storage, there is always copies of data somewhere else to be found. To service our men and women in the Army Reserves, data has to be manipulated at the local computer and then sent back to be stored back on the database. The very moment that data is moved and stored on a local machine for it to be manipulated is also the moment that the data is most vulnerable. Despite the concerted efforts to ensure data confidentiality the overall security depends efforts put forth by the weakest link. The insider threat is one of the hardest risk to mitigate, mainly due to their initial need to legitimately data access.
Databases are normally used by businesses and schools to store their data. These databases are kept secure, and users can only access the information stored on the database they have been granted access to. Now data is added to, accessed, or remove from a database using languages such as SQL (Structured Query Language), MYSQL (My Sequel), etc.
SQL assault process SQL vulnerabilities exist where there are applications need to powerfully developed SQL explanations as per Web customer environment. Since the server-side applications use SQL statements as interwoven operation of the database, which permits an invader to present the information they need incorporated into SQL proclamations. For
SQL injections are the serious threat to the web applications; they permit attackers to acquire unlimited access to the databases and sensitive data these databases contain. Despite the fact that analysts and experts have proposed different strategies to address the SQL injection attacks. Many solutions are able to solve only some of the issues related to it. This document provides the types
SQL injection is a technique where malicious users inject SQL commands into an SQL statement, via web page input. Injected SQL commands can alter SQL statement and compromise the security of a web application. SQL injection is one of the oldest, most prevalent and dangerous of web application vulnerability. I believe attackers could steal information by following methods. Most web pages have users or given user id to login, and original idea
Use software that was developed using secure software design (SSD) model. For example, software developers should not write dynamic queries for databases and prevent user supplied input which contains malicious SQL from affecting the logic of the executed query. This will help with the following security threat: SQL injection, buffer
With the advent of Internet, web applications have become a day to day feature in our lives. Also with the constant usage of online services increasing every day, there has been an equally growing concern regarding the security threats in web applications. One of the most common attacks exploiting the vulnerabilities of various types of applications along with web applications is through the Structured Query Language Injection Attack also known as SQL Injection Attack. Based on a recent study by OWASP, SQL injection attack has the highest rank in revealing web based vulnerabilities. One of the major motivation for the attacker to perform SQL injection attack is for retrieving all the contents from the database without any authorization or permission. It is a code injection technique where an attacker inserts a malicious query in the original legitimate SQL query. After the execution of the query, the attacker has the access to the database and can obtain, change, and update data for which he/she does not have any permission.
SQL Injection is one of the main database attack mechanisms used by hackers to loot organization 's data from databases. Hacker target the application layer program and takes advantage of the improper coding methods to inject SQL command into a web form and then gain access to the database. SQL injection may adversely affect the integrity of the database and may reveal sensitive data of the organization. The intensity of the SQL injection attack vary depend on the capabilities of the backend database in use. With the help of SQL injection hacker can change existing queries, attach additional queries, read in or write to file or execute operating system command from the database. To protect organization data from SQL injection we need to apply security measures in the application layer and in the database layer. The purpose of this study is to analyze the database functionalities/security holes, mainly Oracle and MySQL, and propose the preventive measures database developers need to consider in the database layer while working with these databases to secure data from SQL injection.
Malicious attacks can come in many forms but generally speaking attacks fall into one of four categories Fabrications which deception is involved to trick users, Interceptions which involve eavesdropping on transmissions and unauthorized redirecting of those transmissions, Interruptions which causes a break in communication and a blockage of data transmission, and Modifications which alters the data in transmissions (Kim & Solomon, 2012). Attacks such as Brute-force attacks, Dictionary threats, Address spoofing, Hijacking, Replay attacks, Man-in-the-middle attacks, Masquerading, Social engineering, Phishing, Phreaking, and Pharming are all examples of attacks that can have damaging effects on a computer network or system (Kim & Solomon, 2012).
There are various but similar SQL injection codes that are utilized to exploit website accounts. But the Hacker has to be well versed with SQL query language. Not that a quick search and some dedication to obtaining that information is not feasible. Finally having understood the step-by-step SQL injection execution, let’s look into how to mitigate SQL injections. (Kali, 2017)
Web applications are nowadays serving as a company’s public face to the internet. This has created the need to identify threats and attacks directed to data servers and web applications. Hackers exploit vulnerabilities in input validation and authentication affecting the web application in order to gain illegal access and disclose sensitive data or manipulate it to their benefits.
But this is an example to understand the sql injection is at far higher level from this example because injecting harmful codes to any desired database,for running his/her database server for destructing database ,extracting private information is purely hacking.
During the year 2012, National Vulnerability Database (NVD) stated 50056 vulnerabilities (Steinke, G., Tundrea, E., & Kelly, K., 2011). Moreover, (NVD) report derived more data about three common threats that Cross-Site Scripting data are kept increasing and still in the top list, SQL injection still remains high and Cross-Site Request Forgery attack decreases the presence in 2009(Steinke, G., Tundrea, E., & Kelly, K., 2011).
In our time and with the remarkable progress in the field of Internet,web sites can be considered the purpose and the main target for the Internet hackers. The Internet hackers worked on transfer their attacks from the well-defended network layer to the more accessible Web application layer, Since this layer is one of the most important layers because that layer is used on a daily basis by people To manage all daily business such as commercial matters in addition to other things related to their lives. These websites offer to users a variety of services Such as, shopping services,booked travel tickets,health care and the payment of Insurances.All of these and other services offered by