Skip to main content
SpringerLink
Log in
Book cover

Advanced Computing and Systems for Security pp 49–64Cite as

On Preventing SQL Injection Attacks

  • Chapter
  • First Online:

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 395))

Abstract

In this paper, we propose three new approaches to detect and prevent SQL Injection Attacks (SQLIA), as an alternative to the existing solutions namely: (i) Query Rewriting-based approach, (ii) Encoding-based approach, and (iii) Assertion-based approach. We discuss in detail the benefits and shortcomings of the proposals w.r.t. the literature.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Bisht, P., Madhusudan, P., Venkatakrishnan, V.N.: Candid: dynamic candidate evaluations for automatic prevention of sql injection attacks. ACM Trans. Inf. Syst. Secur. 13(2), 14:1–14:39 (2010)

    Google Scholar 

  2. Boyd, S.W., Keromytis, A.D.: Sqlrand: preventing sql injection attacks. In: In Proceedings of the 2nd ACNS Conference, pp. 292–302 (2004)

    Google Scholar 

  3. Buehrer, G., Weide, B.W., Sivilotti, P.A.G.: Using parse tree validation to prevent sql injection attacks. In: Proceedings of the 5th International Workshop on SEM, pp. 106–113. ACM (2005)

    Google Scholar 

  4. Clarke, J.: SQL Injection Attacks and Defense, 1st edn. Syngress Publishing, New York (2009)

    Google Scholar 

  5. Comini, M., Gori, R., Levi, G.: Assertion based inductive verification methods for logic programs. Electr. Notes Theor. Comput. Sci. 40, 52–69 (2000)

    Article  MATH  Google Scholar 

  6. Cook, W.R.: Safe query objects: statically typed objects as remotely executable queries. In: In Proceedings of the 27th ICSE, pp. 97–106. ACM (2005)

    Google Scholar 

  7. Gould, C., Su, Z., Devanbu, P.: Jdbc checker: a static analysis tool for sql/jdbc applications. In: Proceedings of the 26th ICSE, pp. 697–698. IEEE Computer Society (2004)

    Google Scholar 

  8. Halder, R., Cortesi, A.: Obfuscation-based analysis of SQL injection attacks. In: Proceedings of the 15th IEEE Symposium ISCC, pp. 931–938. IEEE (2010)

    Google Scholar 

  9. Halfond, W.G.J., Orso, A.: Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In: Proceedings of the 20th IEEE/ACM ASE, pp. 174–183. ACM (2005)

    Google Scholar 

  10. Halfond, W.G.J., Orso, A.: Combining static analysis and runtime monitoring to counter sql-injection attacks. SIGSOFT Softw. Eng. Notes 30(4), 1–7 (2005)

    Article  Google Scholar 

  11. Halfond, W.G., Viegas, J., Orso, A.: A classification of SQL-injection attacks and countermeasures. In: Proceedings of the IEEE International Symposium on Secure Software Engineering. IEEE (2006)

    Google Scholar 

  12. Huang, Y.W., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing web application code by static analysis and runtime protection. In: Proceedings of the 13th International Conference on WWW, pp. 40–52. ACM (2004)

    Google Scholar 

  13. Leavens, G.T., Baker, A.L., Ruby, C.: Preliminary design of jml: a behavioral interface specification language for java. SIGSOFT Softw. Eng. Notes 31(3), 1–38 (2006)

    Article  Google Scholar 

  14. Lin, J., Chen, J., Liu, C.: An automatic mechanism for adjusting validation function. In: 22nd AINA, 2008, pp. 602–607. IEEE Computer Society, Okinawa, Japan (2008)

    Google Scholar 

  15. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium, vol. 14, p. 18. USENIX Association (2005)

    Google Scholar 

  16. Mcclure, R.A., Krger, I.H.: Sql dom: compile time checking of dynamic sql statements. In: ICSE05: Proceedings of the 27th ICSE, pp. 88–96. ACM (2005)

    Google Scholar 

  17. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: Security and Privacy in the Age of Ubiquitous Computing, IFIP TC11 20th International Conference on SEC, pp. 295–308 (2005)

    Google Scholar 

  18. Ray, D., Ligatti, J.: Defining code-injection attacks. In: Proceedings of the 39th POPL, pp. 179–190. ACM (2012)

    Google Scholar 

  19. Scott, D., Sharp, R.: Abstracting application-level web security. In: Proceedings of the 11th International Conference on WWW, pp. 396–407. ACM (2002)

    Google Scholar 

  20. Son, S., McKinley, K.S., Shmatikov, V.: Diglossia: detecting code injection attacks with precision and efficiency. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1181–1192. ACM (2013)

    Google Scholar 

  21. Su, Z., Wassermann, G.: The essence of command injection attacks in web applications. In: Conference Record of the 33rd POPL, pp. 372–382. ACM (2006)

    Google Scholar 

  22. Valeur, F., Mutz, D., Vigna, G.: A learning-based approach to the detection of sql attacks. In: Proceedings of the 2nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 123–140. Springer (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Indian Institute of Technology Patna, Patna, India

    Bharat Kumar Ahuja, Angshuman Jana, Ankit Swarnkar & Raju Halder

Authors
  1. Bharat Kumar Ahuja
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Angshuman Jana
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ankit Swarnkar
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Raju Halder
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bharat Kumar Ahuja .

Editor information

Editors and Affiliations

  1. A.K. Choudhury School of Information Technology, University of Calcutta, Kolkata, West Bengal, India

    Rituparna Chaki

  2. Università Ca' Foscari, Venice, Italy

    Agostino Cortesi

  3. Bialystok University of Technology Faculty of Computer Science, Bialystok, Poland

    Khalid Saeed

  4. University of Calcutta, Kolkata, West Bengal, India

    Nabendu Chaki

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer India

About this chapter

Cite this chapter

Ahuja, B.K., Jana, A., Swarnkar, A., Halder, R. (2016). On Preventing SQL Injection Attacks. In: Chaki, R., Cortesi, A., Saeed, K., Chaki, N. (eds) Advanced Computing and Systems for Security. Advances in Intelligent Systems and Computing, vol 395. Springer, New Delhi. https://doi.org/10.1007/978-81-322-2650-5_4

Download citation

  • DOI: https://doi.org/10.1007/978-81-322-2650-5_4

  • Published:

  • Publisher Name: Springer, New Delhi

  • Print ISBN: 978-81-322-2648-2

  • Online ISBN: 978-81-322-2650-5

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation