SQL Injection Defence

by Antonio M
I found this article to be very interesting. The author talked about what a SQL Injection
was and some steps to detect if a query has been subject to a SQL Injection attack and
showed how to defend against such attacks. A SQL Injection can be used to steal, view
or alter data in a database. A SQL Injection statement is always done by using any SQL
keywords and also through the use of a space, single quotes and double dashes. The method
that the author proposed in order to detect a SQL Injection Attack is to use tokanization.
Tokenization is used by detecting for any spaces, single quote or double dashes and all
strings before each symbol is considered a token. Once a token is made they will then be
put into an Array where each token is in a separate index of that Array.  So based on the
users input you will use tokenization to search for spaces, single quote and dashes.
Then you will make two Arrays, one array is how the users input should look like
with out an attempted SQL injection. The Second Array is how the users input will look like
if it has a SQL Injection Attack. Based on these two Arrays you perform a comparison to
see if the arrays have the same amount of index elements in them. If they do not have the
same amount of Index elements in them then the user has performed a SQL Injection Attack.

This article relates a lot to our class because as a database designer and developer one
should learn what a SQL Injection is and how to defend against such attacks. One of the
key things to remember in Database Development is trying to keep a database secure and
keep the data as accurate as possible so it is very important that we as students should
have some basic knowledge on what SQL Injection is.

When I was trying to find this article I had read that not many steps are usually performed
to try to defend against SQL Injection Attacks. When reading this article I was very
fascinated on how SQL Injection Attack occurred and the steps to prevent such an attack. The
method that the author proposed made perfect sense to me. The concept of his idea seemed
so easy because you are basically comparing the users input on how it should look like
if it were not a SQL Injection. A very easy step to implement in a database that can
defend against SQL Injection Attacks.

 

Reference:

Lambert, N.; Kang Song Lin; , “Use of Query tokenization to detect and prevent SQL injection
attacks,” Computer Science and Information Technology (ICCSIT), 2010 3rd IEEE International
Conference on , vol.2, no., pp.438-440, 9-11 July 2010 doi: 10.1109/ICCSIT.2010.5565202
URL: http://0-ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnumber=
5565202&isnumber=5563531

4 thoughts on “SQL Injection Defence”

  1. These are actually a great way to find if SQL injections occur. The article fascinates me because I would like to know how to defend these types of things. I would like to get into cyber security and would like this skill to be part of my list of skills. I just want to know if this would bog down the performance of the SQL databases. However, if we were to implement this, I would like an example of a SQL injection just to know what we could be up against. Great Article, Antonio!

  2. Great Article! I have been curious as to any steps that we should be aware of to take against SQL injections. It's a unique system that can show if there was an SQL injection attack. I found this a great read and am glad I kind of understand this for the most part.

  3. Great Article. I noticed that more and more of us are starting to post about the security flaws of databases. Perhaps this is because there are more articles on this topic and that these articles are easier to find. I do believe this is a very important topic. Many personal information is stored on these databases. You wouldnt want to have your personal information stolen.

  4. Wow! Really interesting information about how to detect an SQL injection exploit. I never really knew how this was done so this information is very valuable. Comparing arrays will probably be a very valuable tool for many administrators looking to detect such attacks. Thanks for the great info!

Comments are closed.