Abstract—SQL injection attackis the most serious security vulnerabilities on databases connected with web orwithin an intranet, most of these vulnerabilities are caused by lack of inputvalidation and SQL parameters use. Typical SQL injection attack detection andprevention technologies are experimented in this paper. There are differentdefence methods are used to prevent such as,parameterized statement, stored procedures and white list input validation.
The comparativeresults of these methods are highlighted.Keywords: SQL injection attack; SQL queries I. INTRODUCTION S oftwaresare spreading all over the world and having the challenges as securityproblems. Web applications are familiar among the humans now a days, some ofthe web applications are net banking, web mail, online auctions, online salesretails, social networks and blogs are the familiar one.
Web vulnerabilitieshave made large scale growth in web applications where the web developers failsto writing programming code. It is necessary to perform a proper syntax validationand to follow the security rule to secure for prevention and during theprogramming phase. Manycommercial and open source tools exist in market with specialized features eventhough researchers have analyzed and proved not even a single detection scannerprovides best result for all the categories of vulnerability. It is highlychallengeable task for security-oriented developers to build reliable toolsthat provide easier approach to handle the security issues. Vulnerabilitydetection scanners are highly intense, used most often among largeorganizations as they not detect potential vulnerability1.SQL injection attack is a codeinjection attack and an easiest technique, by using SQL commands such asSelect, Where, Insert, Delete and Update, the attackers design the SQL statementsand executes vulnerable code into the web applications. There are huge amountof security issues on the web application, that can be handled byauthentication of users and there are many forms of SQL injection attacksexist.
II. SQLinjection methods to prevent SQLIAsToprevent the databases from the intruders using the SQL queries are injecting and preventing the security issues.To avoid SQL injection flaws is simple and easier. There are three methods usingto prevent such as · Method 1: Use of PreparedStatements (with Parameterized Queries) · Method 2: Use of StoredProcedures · Method 3: White List InputValidation Method1: Use of Prepared Statements (with Parameterized Queries)Databaseprogrammer and database end users (naïve user) used to write database differentqueries to get result for performing task. Both make use of simple and dynamicqueries to perform tasks. Prepared statements and parameterized queries insistthe developers to define SQL code and pass as a parameter and query it. Framedstatement ensure that an attacker is not able to change the intend of a query.
For example, attacker want to enter the user_id of name or ‘1’=’1 the query isvulnerable and will look for user_name which matched the string. Method 2: Stored ProceduresStored procedures are also similar methods of SQL injectionmaking use of parameterized queries. Developer has to build SQL statements withparameters for performing SQL injection.
Stored procedure is defined and storedin the database further call from the application. Both the techniques areefficient in preventing SQL injection. Method 3: White List InputValidation Input validation usingwhite list makes use SQL queries return to a names of tables or columns. Inputvalidation is the appropriate design for names of tables or columns and thosevalues received from the code not from the user input. If user inputs are usedto make a different for table and column names then input values should bemapped to expected tables or column names.