Detecting and Preventing SQL Injections{2}


In this article journal the authors discuss how web applications are often vulnerable for attackers to easily access the application’s underlying database. They define an SQL injection as a type of attack which the attacker adds Structured Query Language code to a web form input box to gain access or make changes to data. In the article, the authors/researchers propose different tools to detect and prevent this vulnerability. The main consequences of these vulnerabilities are attacks on authorization, authentication, confidentiality, and integrity.  One of the proposed techniques to prevent SQLIAs (SQL Injection Attacks) is called WAVES, which is a black-box technique for testing web applications for SQL injection vulnerabilities. The tool identifies all points a web application can be used to inject SQLIAs. It builds attacks that target these points and monitors the application’s response to the attacks by utilizing machine learning. Other tools that help prevent SQLIAs are:  JDBC-Checker, CANDID, and SAFELI, AMNESIA, SQL Guard and SQL check, and WebSSARI. The author’s go into much detail explaining what each tool does to prevent SQLIAs and how they work. They test these tools and explain their results at the end of the article. If interested, I’d recommend reading the whole article to find more information.

It seems as though a lot of us have written a blog relating to SQL injections, and I believe it’s because it is an important topic to look into. I had no idea what an SQL injection was until I read this article and it does relate to what we’ve been learning which is obviously about SQL. I liked that this article was clear and concise about defining what a SQLIA was and how it presented the various tools that helped to prevent those SQLIAs.

Tajpour, A., Ibrahim,S., Masrom,M. (2011).  SQL injection detection and prevention techniques. International Journal of Advancements in Computing Technology, 3(7),82-91. DOI: 10.4156/ijact.vol3.issue7.1