<p>SQL Injection attacks (SQLIAs) pose a major threat to web applications getting empowered with unauthorized data access that lead to either steal, modify or delete sensitive data from underlying databases. SQLIAs have become popular due to the reason that they create massive impacts on digital platforms. This paper presents a light weight real time detection and prevention mechanism for SQLIAs using structured query comparison approach. The proposed method compares the SQL queries at compile-time and execution-time for SQLIAs identification. SQLIAs that can be detected by the proposed method include Boolean, tautology, piggybacked queries, illegal queries, union queries, stored procedure etc. The proposed method has been tested on two GITHUB open source datasets and the results show the F1-score of <InlineEquation ID="IEq1"> <EquationSource Format="TEX">\(96.4\%\)</EquationSource> </InlineEquation> and <InlineEquation ID="IEq2"> <EquationSource Format="TEX">\(98.89\%\)</EquationSource> </InlineEquation> respectively. The proposed query comparison engine can be easily deployed to existing and new database driven web applications with ease for the enhancement of web application security.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Query comparison engine to detect and prevent SQL injection attacks

  • Jayanto Kumar Chowdhury,
  • Dilip Kumar Yadav,
  • P. V. S. S. R. Chandra Mouli

摘要

SQL Injection attacks (SQLIAs) pose a major threat to web applications getting empowered with unauthorized data access that lead to either steal, modify or delete sensitive data from underlying databases. SQLIAs have become popular due to the reason that they create massive impacts on digital platforms. This paper presents a light weight real time detection and prevention mechanism for SQLIAs using structured query comparison approach. The proposed method compares the SQL queries at compile-time and execution-time for SQLIAs identification. SQLIAs that can be detected by the proposed method include Boolean, tautology, piggybacked queries, illegal queries, union queries, stored procedure etc. The proposed method has been tested on two GITHUB open source datasets and the results show the F1-score of \(96.4\%\) and \(98.89\%\) respectively. The proposed query comparison engine can be easily deployed to existing and new database driven web applications with ease for the enhancement of web application security.