skip to main content
10.1145/3459955.3460594acmotherconferencesArticle/Chapter ViewAbstractPublication PagesicissConference Proceedingsconference-collections
research-article

Web application database protection from SQLIA using permutation encoding

Published: 28 July 2021 Publication History

Abstract

Web application is the base of online businesses through the Internet. The emergence of COVID 19 forced almost every job to operate online so as to bridge the distance amongst individuals. The rapid increment in the needs of web application increases security threats on information and data. According to the Open Web Application Security Project, Structured Query Language Injection Attack (SQLIA) is a top security threat for web application. SQLIA inserts malicious code to gain access or to manipulate database information by cheating the server to bypass the code to the database, thereby causing a severe impact on web application. In this paper, permutation encoding method has been proposed to prevent SQLIA, which is based on encoding all database information using the proposed method. Initially, a special character is inserted to restrict the method from reversing. Subsequently, permutation encoding method is applied. Permutation refers to the method wherein the bit location is changed within three characters and then radix encoding is applied. Permutation is based on the primitive root value. Encoding has been used to hide permutation. The proposed method is implemented and tested using PHP and MySQL databases, where the proposal result has been compared with those of other proposal methods. The results with security analysis prove that the proposal method prevents SQLIA and protects database information.

References

[1]
Muhammad Aliero, Kashif Qureshi, Muhammad Pasha, Imran Ghani, and Rufai Yauri. 2020. Systematic Review Analysis on SQLIA Detection and Prevention Approaches. Wireless Pers Communication, Vol. 112. Springer-Verlag, New York, NY. https://doi.org/10.1007/s11277-020-07151-2
[2]
Books Dataset [n.d.]. Books Dataset from Gutenberg. Retrieved Jan 18, 2021 from http://www.gutenberg.org/wiki/Gutenberg:Offline_Catalogs
[3]
Asish Dalai and Sanjay Jena. 2017. Neutralizing SQL Injection Attack Using Server Side Code Modification in Web Applications. Security and Communication Networks 2017 (2017). https://doi.org/10.1155/2017/3825373
[4]
Karis D’silva, J Vanajakshi, KN Manjunath, and Srikanth Prabhu. 2017. An effective method for preventing SQL injection attack and session hijacking. In Proceedings of the 2017 2nd IEEE International Conference on Recent Trends in Electronics, Information Communication Technology (RTEICT). IEEE, Bangalore, India, 697–701. https://doi.org/10.1109/RTEICT.2017.8256687
[5]
Hongcan Gao, Jingwen Zhu, Lei Liu, Jing Xu, Yanfeng Wu, and Ao Liu. 2019. Detecting SQL Injection Attacks Using Grammar Pattern Recognition and Access Behavior Mining. In Proceedings of the 2019 IEEE International Conference on Energy Internet (ICEI). IEEE, Nanjing, China, 493–498. https://doi.org/10.1109/ICEI.2019.00093
[6]
Himanshu Gupta, Subhash Mondal, Srayan Ray, Biswajit Giri, Rana Majumdar, and Ved Mishra. 2019. Impact of SQL Injection in Database Security. In Proceedings of the 2019 International Conference on Computational Intelligence and Knowledge Economy (ICCIKE). IEEE, Dubai, United Arab Emirates, 296–299. https://doi.org/10.1109/ICCIKE47802.2019.9004430
[7]
Zar Hlaing and Myo Khaing. 2020. A Detection and Prevention Technique on SQL Injection Attacks. In Proceedings of the 2020 IEEE Conference on Computer Applications(ICCA). IEEE, Yangon, Myanmar, 1–6. https://doi.org/10.1109/ICCA49400.2020.9022833
[8]
Mohammed Hussain, Hai Jin, Zaid Hussien, Zaid Abduljabbar, Salah Abbdal, and Ayad Ibrahim. 2017. Enc-DNS-HTTP: Utilising DNS Infrastructure to Secure Web Browsing. Security and Communication Networks 2017 (2017). https://doi.org/10.1155/2017/9479476
[9]
Debabrata Kar and Suvasini Panigrahi. 2013. Prevention of SQL Injection attack using query transformation and hashing. In Proceedings of the 2013 3rd IEEE International Advance Computing Conference (IACC). IEEE, Ghaziabad, India, 1317–1323. https://doi.org/10.1109/IAdCC.2013.6514419
[10]
Rajashree Katole, Swati Sherekar, and Vilas Thakare. 2018. Detection of SQL injection attacks by removing the parameter values of SQL query. In Proceedings of the 2018 2nd International Conference on Inventive Systems and Control (ICISC). IEEE, Coimbatore, India, 736–741. https://doi.org/10.1109/ICISC.2018.8398896
[11]
Diksha Kumar and Madhumita Chatterjee. 2015. MAC based solution for SQL injection. Computer Virology and Hacking Techniques 11, 1 (2015), 1–7. https://doi.org/10.1007/s11416-014-0219-6
[12]
Muyang Liu, Ke Li, and Tao Chen. 2019. Security Testing of Web Applications: A Search-Based Approach for Detecting SQL Injection Vulnerabilities. In Proceedings of the Genetic and Evolutionary Computation Conference Companion. Association for Computing Machinery, New York, NY, USA, 417–418. https://doi.org/10.1145/3319619.3322026
[13]
Limei Ma, Yijun Gao, Dongmei Zhao, and Chen Zhao. 2019. Research on SQL Injection Attack and Prevention Technology Based on Web. In Proceedings of the 2019 International Conference on Computer Network, Electronic and Automation (ICCNEA). IEEE, Xi’an, China, 176–179. https://doi.org/10.1109/ICCNEA.2019.00042
[14]
Mayank Namdev, Fehreen Hasan, and Gaurav Shrivastav. 2012. A Novel Approach for SQL Injection Prevention Using Hashing & Encryption (SQL-ENCP). International Journal of Computer Science and Information Technologies (IJCSIT) 3, 5(2012), 4981–4987.
[15]
OWASP [n.d.]. Category: OWASP top ten project. Retrieved Jan 18, 2021 from https://owasp.org/www-project-top-ten/
[16]
Shaji Raj and Elizabeth Sherly. 2018. An SQL Injection Defensive Mechanism Using Reverse Insertion Technique. In Proceedings of the Smart and Innovative Trends in Next Generation Computing Technologies. Springer Singapore, Singapore, 335–346. https://doi.org/10.1007/978-981-10-8660-1_25
[17]
Warradorn Sirisang and Vasin Suttichaya. 2017. Analyzing SQL Injection Statements Using Common Substructure of Parse Tree. In Proceedings of the 2017 21st International Computer Science and Engineering Conference (ICSEC). IEEE, Bangkok, Thailand, 1–5. https://doi.org/10.1109/ICSEC.2017.8443774
[18]
Wireshark [n.d.]. network protocol analyzer. Retrieved Jan 18, 2021 from https://www.wireshark.org
[19]
XAMPP [n.d.]. Web server. Retrieved Jan 18, 2021 from https://www.apachefriends.org/download.html

Cited By

View all
  • (2024)Survey on Bio-Inspired Algorithm for SQL Injection AttacksBasrah Researches Sciences10.56714/bjrs.50.1.2750:1(340)Online publication date: 30-Jun-2024
  • (2022)Provably throttling SQLI using an enciphering query and secure matchingEgyptian Informatics Journal10.1016/j.eij.2022.10.00123:4(145-162)Online publication date: Dec-2022

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ICISS '21: Proceedings of the 4th International Conference on Information Science and Systems
March 2021
166 pages
ISBN:9781450389136
DOI:10.1145/3459955
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 July 2021

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Internet security
  2. SQL injection
  3. database protection
  4. web application

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ICISS 2021

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)15
  • Downloads (Last 6 weeks)6
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Survey on Bio-Inspired Algorithm for SQL Injection AttacksBasrah Researches Sciences10.56714/bjrs.50.1.2750:1(340)Online publication date: 30-Jun-2024
  • (2022)Provably throttling SQLI using an enciphering query and secure matchingEgyptian Informatics Journal10.1016/j.eij.2022.10.00123:4(145-162)Online publication date: Dec-2022

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media