Detecting and Preventing SQL Injections

by Kathy S
In this article journal the authors discuss how web applications are often vulnerable for attackers to easily access the application’s underlying database. They define an SQL injection as a type of attack which the attacker adds Structured Query Language code to a web form input box to gain access or make changes to data. In the article, the authors/researchers propose different tools to detect and prevent this vulnerability. The main consequences of these vulnerabilities are attacks on authorization, authentication, confidentiality, and integrity.  One of the proposed techniques to prevent SQLIAs (SQL Injection Attacks) is called WAVES, which is a black-box technique for testing web applications for SQL injection vulnerabilities. The tool identifies all points a web application can be used to inject SQLIAs. It builds attacks that target these points and monitors the application’s response to the attacks by utilizing machine learning. Other tools that help prevent SQLIAs are:  JDBC-Checker, CANDID, and SAFELI, AMNESIA, SQL Guard and SQL check, and WebSSARI. The author’s go into much detail explaining what each tool does to prevent SQLIAs and how they work. They test these tools and explain their results at the end of the article. If interested, I’d recommend reading the whole article to find more information.

It seems as though a lot of us have written a blog relating to SQL injections, and I believe it’s because it is an important topic to look into. I had no idea what an SQL injection was until I read this article and it does relate to what we’ve been learning which is obviously about SQL. I liked that this article was clear and concise about defining what a SQLIA was and how it presented the various tools that helped to prevent those SQLIAs.

Tajpour, A., Ibrahim,S., Masrom,M. (2011).  SQL injection detection and prevention techniques. International Journal of Advancements in Computing Technology, 3(7),82-91. DOI: 10.4156/ijact.vol3.issue7.1

2 thoughts on “Detecting and Preventing SQL Injections

  • November 12, 2012 at 12:11 am
    Permalink

    It’s interesting to know that there are many tools out there to prevent and also to plan attacks on SQL injections. Since there have been several successful high profile attacks by the use of SQL injections, I do not find it a surprise that many people write/talk about it. It seems as if its too easy to hack into a SQL server, or the database administrators do not implement correct security measures to prevent such an attack.

  • November 13, 2012 at 1:56 pm
    Permalink

    I wrote an article this week about the security of an SQL management system and of an Oracle database. It seems as though SQL server blew Oracle out of the water in terms of security, even when there are clear vulnerabilities in the software. But the fault didn’t lie on the SQL system itself – the fault actually lay on the end user, or the people who set up the SQL server. So it isn’t that SQL is a vulnerable application, it is that the user doesn’t take the appropriate steps to block his or her system from vulnerabilities and holes.

Comments are closed.