Detecting and fixing SQLIVs

by Sam T
The peer reviewed journal I read was about vulnerabilities found in SQL queries. There vulnerabilities may lead to SQL Injection Attacks. These SQL Injection Vulnerabilities (SQLIVs) can make it easier for an attacker to modify, obtain, and delete valuable and private information. According to the national Institute of Standards and Technology, the authors found that SQLIVs was about 14% of total Web applications online in 2006. They wanted to design a tool that would test how secure the application was, and to immediately fix any vulnerabilities found. They chose a program called SecurePHP which is written in C# and utilized the .NET framework. They chose this tool because they wanted it to be easy to use and showed the results that had made it easy for the user to quickly find and fix vulnerabilites. The authors did testing against phpBB 2.0 to help determine the effectiveness of their solution. In the end, the authors found the reports to be helpful to developers in determining how secure their systems but felt SecurePHP could use more work as it had difficulty tracking SQL statements.

I thought the article was related to our class since we started learning about SQLs this week. I feel that one of the biggest concerns about databases, networks is security. Without security, SQLs would be useless as the data they help contain would compromised. The authors of the journal decided to test a tool that they felt would really help developers to immediately find and fix any vulnerabilities.

I was a bit disappointed that the authors didn’t have a sure-proof method of fixing SQLIVs but on the other hand it is better that developers not to rely on one tool as attackers will always find a new method of compromising sensitive information. If developers kept relying on one tool, they would definitely be behind the attackers steps. By having developers constantly find new methods to help secure their systems it’ll will keep them up to date on the latest possible vulnerabilities and how to fix them.

Dysart, F. (2008, November). Automated Fix Generator for SQL Injection Attacks. IEEEConference Publications

One thought on “Detecting and fixing SQLIVs

  • November 4, 2012 at 1:29 pm

    Good read. I have heard SQL injection many times during the quater, I was not exactly sure what it was before I read this post. SQL injection is a type of attacking method often used when hackers attack websites. One of methods we can prevent SQL injection is that use prepared queries (AKA parameterized queries). There is a method for us to use in each language such as PreparedStatement() in JAVA EE.

Comments are closed.