Abstract—SQL open source tools exist in market with

Abstract—SQL injection attack
is the most serious security vulnerabilities on databases connected with web or
within an intranet, most of these vulnerabilities are caused by lack of input
validation and SQL parameters use. Typical SQL injection attack detection and
prevention technologies are experimented in this paper. There are different
defence methods are used to prevent such as,
parameterized statement, stored procedures and white list input validation. The comparative
results of these methods are highlighted.

Keywords: SQL injection attack; SQL queries

                              
I.      
INTRODUCTION

S

oftwares
are spreading all over the world and having the challenges as security
problems. Web applications are familiar among the humans now a days, some of
the web applications are net banking, web mail, online auctions, online sales
retails, social networks and blogs are the familiar one. Web vulnerabilities
have made large scale growth in web applications where the web developers fails
to writing programming code. It is necessary to perform a proper syntax validation
and to follow the security rule to secure for prevention and during the
programming phase.

Many
commercial and open source tools exist in market with specialized features even
though researchers have analyzed and proved not even a single detection scanner
provides best result for all the categories of vulnerability. It is highly
challengeable task for security-oriented developers to build reliable tools
that provide easier approach to handle the security issues. Vulnerability
detection scanners are highly intense, used most often among large
organizations as they not detect potential vulnerability1.

SQL injection attack is a code
injection attack and an easiest technique, by using SQL commands such as
Select, Where, Insert, Delete and Update, the attackers design the SQL statements
and executes vulnerable code into the web applications. There are huge amount
of security issues on the web application, that can be handled by
authentication of users and there are many forms of SQL injection attacks
exist.

 

                                                                                                                                        
II.       
SQL
injection methods to prevent SQLIAs

To
prevent the databases from the intruders 
using the SQL queries are injecting and preventing the security issues.
To avoid SQL injection flaws is simple and easier. There are three methods using
to prevent such as

·        
Method 1: Use of Prepared
Statements (with Parameterized Queries)

·        
Method 2: Use of Stored
Procedures

·        
Method 3: White List Input
Validation

 

 

Method
1: Use of Prepared Statements (with Parameterized Queries)

Database
programmer and database end users (naïve user) used to write database different
queries to get result for performing task. Both make use of simple and dynamic
queries to perform tasks. Prepared statements and parameterized queries insist
the developers to define SQL code and pass as a parameter and query it. Framed
statement ensure that an attacker is not able to change the intend of a query.
For example, attacker want to enter the user_id of name or ‘1’=’1 the query is
vulnerable and will look for user_name which matched the string.

 

Method 2: Stored Procedures

Stored procedures are also similar methods of SQL injection
making use of parameterized queries. Developer has to build SQL statements with
parameters for performing SQL injection. Stored procedure is defined and stored
in the database further call from the application. Both the techniques are
efficient in preventing SQL injection.

 

Method 3: White List Input
Validation

Input validation using
white list makes use SQL queries return to a names of tables or columns. Input
validation is the appropriate design for names of tables or columns and those
values received from the code not from the user input. If user inputs are used
to make a different for table and column names then input values should be
mapped to expected tables or column names.