SQL Injection Prevention{3}


by Jorge R
The author of my article talks about the growing rates of SQL injection over the past years. There have been many new security advances such as Injection Detection System (IDS). The author also explains that there is no real definition for SQL injection; instead it’s a combination of forms and characteristics that form SQL injection. Microsoft describes it,”…from two aspects as follows: a. Attacks in the form of script injection; b. SQL scrip can be affected by malicious user input”. It is also the act of visiting a page and with direct retrieval obtained from the database. Hackers are able to infiltrate the database, by manipulating the database and then inserting an SQL sentence into applications. The attack can happen on all the different database software SQL language systems. It is easy to learn and implement into systems with little computer knowledge. The most common attack includes the “1=1” statement, this logical statement results in “true”. It is most commonly used to retrieve the usernames and passwords of all the users on the website. It is true that users may mistakenly type those keywords by mistake, that is when IDS steps in by tracking their movements for suspicions. When that same user starts typing other commands, the server is alerted and tracks the users IP with a time stamp of when the infiltrations happened. The main goal of programmers to stop SQL injections is to improve the programming. There are very limited tools to try and stop SQL injection.

I really enjoyed this article; it really opens my eyes and lets me see that there are hackers out there trying to get your information. There needs to be more security added to databases for developers and user. This relates to our class because we are forming databases, and it shows us what key points we need to work on and improve upon. My only concerns are that if these attacks are so common why are there no real fixes or defense systems to prevent these attacks? Could it be that the internet and users evolve and change so constantly, that it is a cat and mouse game, with no real solution.

Reference

Qian Xue; Peng He; , “On Defense and Detection of SQL SERVER Injection Attack,” Wireless Communications, Networking and Mobile Computing (WiCOM), 2011 7th International Conference on , vol., no., pp.1-4, 23-25 Sept. 2011
doi: 10.1109/wicom.2011.6040534
URL: http://0-ieeexplore.ieee.org.opac.library.csupomona.edu/stamp/stamp.jsp?tp=&arnumber=6040534&isnumber=6036637