SQL Injection Defence{4}

by Antonio M
I found this article to be very interesting. The author talked about what a SQL Injection
was and some steps to detect if a query has been subject to a SQL Injection attack and
showed how to defend against such attacks. A SQL Injection can be used to steal, view
or alter data in a database. A SQL Injection statement is always done by using any SQL
keywords and also through the use of a space, single quotes and double dashes. The method
that the author proposed in order to detect a SQL Injection Attack is to use tokanization.
Tokenization is used by detecting for any spaces, single quote or double dashes and all
strings before each symbol is considered a token. Once a token is made they will then be
put into an Array where each token is in a separate index of that Array.  So based on the
users input you will use tokenization to search for spaces, single quote and dashes.
Then you will make two Arrays, one array is how the users input should look like
with out an attempted SQL injection. The Second Array is how the users input will look like
if it has a SQL Injection Attack. Based on these two Arrays you perform a comparison to
see if the arrays have the same amount of index elements in them. If they do not have the
same amount of Index elements in them then the user has performed a SQL Injection Attack.

This article relates a lot to our class because as a database designer and developer one
should learn what a SQL Injection is and how to defend against such attacks. One of the
key things to remember in Database Development is trying to keep a database secure and
keep the data as accurate as possible so it is very important that we as students should
have some basic knowledge on what SQL Injection is.

When I was trying to find this article I had read that not many steps are usually performed
to try to defend against SQL Injection Attacks. When reading this article I was very
fascinated on how SQL Injection Attack occurred and the steps to prevent such an attack. The
method that the author proposed made perfect sense to me. The concept of his idea seemed
so easy because you are basically comparing the users input on how it should look like
if it were not a SQL Injection. A very easy step to implement in a database that can
defend against SQL Injection Attacks.



Lambert, N.; Kang Song Lin; , “Use of Query tokenization to detect and prevent SQL injection
attacks,” Computer Science and Information Technology (ICCSIT), 2010 3rd IEEE International
Conference on , vol.2, no., pp.438-440, 9-11 July 2010 doi: 10.1109/ICCSIT.2010.5565202
URL: http://0-ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnumber=