Tcp. E Commerce Sql Injection Prevention

1461 Words6 Pages
SET @sql = 'SELECT * FROM User Table WHERE Username = ' ' ' + @uname + ' ' ' AND Password = ' ' ' + @pass + ' ' ' '; EXEC (@sql); END GO In the above statement, we create a stored procedure called CheckUser, accountable for authentication of username and password. Here the attacker simply injects ‘’; -- in the query thereby bypassing the authentication through the stored procedure. V. E-COMMERCE SQL INJECTION PREVENTION The tools and techniques for for distinguishing and anticipating SQL infusion are given underneath: 1. AMNESIA: It is proposed by Junjin [10] for detecting SQL injection attacks over the web application i.e. for tracing SQL input flow using SQLInjectionGen and attack input generation using…show more content…
By doing this, we can take away the ability for an attacker to make any changes to the database. In the following example if the code is run with read and write permissions the attacker could potentially delete all that data in the database. ‘; DROP TABLE users; # But by having the database be read only for the executing script we can able to make any changes to the database so drop table users command would have no effect on the database as a whole. 4. Configure Error Reporting: When attempting to attack a server, attacker tries to get any information possible which hook on unauthorized access to the server. If an attacker can cause a script to crash to split out any error messages, it helps to figure out the system’s potential vulnerabilities. However, if all the error messages are written internally it doesn’t get any feedback about what’s going on in the application making it much more challenging to find a security vulnerability. 5. Prevention Using Stored Procedures [13]: Stored procedures are being a part of database help applications to interact with database server [13]. The blend of static examination and runtime investigation is utilized to keep this put away system. The author at [15] proposed a mix of static investigation and runtime observing to secure the security of potential vulnerabilities as put away methodology coded by the software engineer, is a section to powerless against injection. 6. CANDID
Open Document