Essay about A Survey of Sql Injection Defense Mechanisms

5658 Words May 1st, 2014 23 Pages
A Survey of SQL Injection Defense Mechanisms
Kasra Amirtahmasebi, Seyed Reza Jalalinia and Saghar Khadem Chalmers University of Technology, Sweden akasra, seyedj, saghar{@student.chalmers.se}

Abstract
SQL Injection Attack (SQLIA) is a prevalent method which makes it possible for the attackers to gain direct access to the database and culminates in extracting sensitive information from the firm’s database. In this survey, we have presented and analyzed six different SQL Injection prevention techniques which can be used for securing the data storage over the Internet. The survey starts by presenting Variable Normalization and will continue with AMNESIA, Prepared statements, SQL DOM, SQLrand and SQLIA prevention in stored procedures
…show more content…
1. Introduction
Since the dawn of web programming, companies started putting their databases on the Internet for public access. These databases sometimes contained confidential and valuable information which were good targets of attack. SQL injection attacks (SQLIA) are among the most common database attacks which try to access the sensitive data directly. They work by injecting malicious SQL codes through the web application and cause unexpected behavior from the database. The 2002 Computer Security Institute and FBI revealed that on a yearly basis, over half of all database experience at least one security breach and an average episode results in close to $4 million in losses [4]. We have presented six SQL injection prevention techniques in this paper which will cover a wide range of SQL injection attacks. A combination of these prevention techniques may lead to a more secure and reliable database system.

2. Variable Normalization
Here we introduce a method that uses a virtual database connectivity drive along with a special method named “variable normalization” using these methods we can determine the basic structure of a SQL statement therefore we will be able to decide if a SQL statement is legal or not. This method does not require changing the source code of database

Related Documents