International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 7, July 2019
RAMIFICATION ANALYSIS OF SQL
INJECTION DETECTION IN WEB
APPLICATION
Manjunatha K M,
Reseach Scholor, Lecturer,
Government Polytechnic,
Channasandra,.
Bengaluru-560004 ,
Abstract – SQL Injection Attack (SQLIA) is a generic and
critical security issue towards to the web application and
database security. In general, poorly validated and verified
web applications are highly prone and vulnerable by the
attackers. Due to the creative and dynamic SQLIA methods
and techniques, users can save their valuable, integral and
confidential data in the web site to save their market stability
towards their self as well as social enrichment. Many
cryptographic researchers, Analyst and security personnel’s
used many subsets and plethora of tools and techniques, even
though SQL injection attack is one of the vulnerability
techniques in the critical web applications, like Banking
domain, Insurance domain, transportation domain and
trading domain, etc.
Many tools and techniques are addressed to the references
regarding the SQL Injection issues, but we are present and
used pattern matching techniques in SQL statements to
predict and detect the SQLIA in web application. At the
outset pattern matching algorithm is used and get better
solution towards on detection and prevention of SQLIA.
Keywords: SQLIA, SQL queries, web application, DBMS.
I. INTRODUCTION
WebApp or Web applications are the tools to share and
display their personnel or self-valuable information to
access in worldwide network from anywhere. Regarding
the usage of the web applications have many benefits, out
of which some of the issues are much more risky.
Now a day’s information as well as network security is
a big concern, where users can face many types of attack,
out of which one simple and common category is SQLIA.
As we know that Web applications are one such tool to
access and transfer various self -information across the
world with internet facility. Meanwhile some creative and
dynamic hackers are also waiting and accomplish to hack
this precious information from internet and breach the
privacy of users. So that attackers have use many
techniques, out of which SQL Injection Attack (SQLIA) is
the major and common attacks performed by the attacker.
132
Dr. M Kempanna
Assistant Professor,
Department of Computer Science
Bangalore Institute of Technology
Bengaluru-560004
As per the internet and network security concern
SQLIA is one of the serious threats in the web application
and SQLIA is considered to be in top ten vulnerability for
web application usage. Now a day’s SQLIA will be the
easiest way to hack or attack the Web applications with
various servers in using in World Wide Web protocol, i.e.
if the web applications is coded very Poor in programming
language or if the system files are not uploaded in the
system, then it dam sure that, such web applications are
very easy to hack by the attackers.
It has been found that to detect and prevent SQLIA to
our system, we must use some efficient algorithm to safe
guard our personal data, in this paper we analyze and use
pattern matching algorithm to detect and prevent SQLIA.
Naive String pattern matching algorithm is used and tested
efficiently in SQLIA.
A. Importance and Motivation of SQL Injection
Attack (SQLIA)
SQLIA is one kind of attack, towards the vulnerability;
where attacker is injecting some malicious code within the
SQL statement inserted into the web application. In the
database package, if the application encounter the SQL
Statement is SQL statement will be executed immediately
and perform SQLIA within the system, so that the attacker
can modify, extract and execute very sensitive and valuable
information in the database.
Basically hacker will take the advantages of poorly
coded and very weak validated input based web
applications has major targeted system, but once hacker
will get successful execution of SQLIA to that application,
the sanctity, integrity and confidentiality of the data to be
bared, which results loss of social sanctity in the society as
well as organization values.
II. LITERATURE REVIEW
Pattern matching is a technique that can be used to
identify or detect any anomaly packet from a sequential
action. Injection attack is a method that can inject any kind
https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 7, July 2019
of malicious string or anomaly string on the original string.
Most of the pattern based techniques are used static
analysis and patterns are generated from the attacked
statements. In this paper, we proposed a detection and
prevention technique for preventing SQL Injection Attack
(SQLIA) using Aho-Corasick pattern matching algorithm
[3].
SQL Injection Attack (SQLIA) is a frequent and a
severe security issue in the web applications. In SQLIA,
hacker can obtain the benefit of poor input validation and
weak coded web application. Due to the successful
execution of a SQLIA, integrity and confidentiality of data
are lost which results in the degrading organization’s
market value. This paper gives a valuable analysis of
various types of SQLIAs, methods and mechanisms. It also
explores various detection and prevention techniques [5].
SQL injection attack (SQLIA) pose a serious security
threat to the database driven web applications. This kind of
attack gives attackers easily access to the application's
underlying database and to the potentially sensitive
information these databases contain. A hacker through
specifically designed input, can access content of the
database that cannot otherwise be able to do so. This is
usually done by altering SQL statements that are used
within web applications [12].
SQL injection attack (SQLIA) is one of the most
serious threats. SQLIA is a code injection attack that
exploits secure vulnerabilities consisting in source codes to
attack databases. SQLIA allows attackers to bypass
authentication, access private information, modify data,
and even destroy databases. Since many sensitive and
confidential data stored in database must be kept private
and secure, a mechanism to detect SQLIAs for web
environments is necessary [16].
Many software systems have evolved to include a Web-
based component that makes them available to the public
via the Internet and can expose them to a variety of Web-
based attacks. One of these attacks is SQL injection, which
can give attackers unrestricted access to the databases that
underlie Web applications and has become increasingly
frequent and serious. This paper presents a new highly
automated approach for protecting Web applications
against SQL injection that has both conceptual and
practical advantages over most existing techniques. From a
conceptual standpoint, the approach is based on the novel
idea of positive tainting and on the concept of syntax-aware
evaluation. From a practical standpoint, our technique is
precise and efficient, has minimal deployment
requirements, and incurs a negligible performance
overhead in most cases. We have implemented our
techniques in the Web application SQL-injection preventer
(WASP) tool, which we used to perform an empirical
evaluation on a wide range of Web applications that we
subjected to a large and varied set of attacks and legitimate
accesses [21].
133
III. SQL INJECTION ATTACK OVERVIEW
SQLIA is one of the most frequently web attacks
pertaining today in the web based application, where
hacker or an attacker will use basic login page has input
entry to vulnerable the web page, here attacker will insert a
malicious code in the SQL statements to execute it, i.e. user
id/password are the input to web page login.
In web applications the security ramifications are vary
based on many techniques towards on authentication
process to save the precious information of the users.
Usually attacker introduce the malicious codes in the SQL
statement, so that attacker can gain and drive the
application of the user, where user did not have any
knowledge on running application, shown in the Figure 1.
Figure 1: Sample SQL Injection Attack
SQLIA works on various techniques with many tasks.
The SQLIA mechanisms is divided into two types,
™ injection mechanism
™ Attack intent.
Injection mechanism is one of the important attacking
techniques by the attacker, where the attacker injects
malicious code into the applications through SQL
statements. Attackers use different types of variables and
sources to inject the malicious code, categories are used to
perform the attack are,
™ SQL injection through user input, where attacker
insert the malicious code into the web application through
‘get’ or ‘post’ method.
™ SQL injection through internet cookies,
™ SQL injection through server protocols or
variables, where http, network headers and environmental
variables are used to perform the attack.
Data base schema will define the overview and overall
structure of the user data in the table. When attacker gather
and extract the information about the user schema of the
database, attacker shutdown the specific user database and
extract the data from the database and segregate the data,
separate the sensitive and very desirable data.
https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 7, July 2019
A. Detection and Prevention of SQLIA
Figure 2 shows the architecture (adapted from21) to
detect and prevent SQLIA. In the proposed application we
used Pattern matching techniques to prevent and detect
SQLIA, where it contains two different phase checks to
operate and maintain non-vulnerability of the web
application, i.e.
™ Static phase checks,
™ Dynamic phase checks
Figure 2: Control flow of Pattern matching algorithm in SQLIA
i.e.
In static phase checks, user generated and validated
query with static pattern list,
In dynamic phase checks, the user application and
analyzes query manually according to anomaly score value.
B. Static Phase checking Steps-
• Step 1: SQL statement executed by the user is sent to
the pattern matching algorithm.
• Step 2: In static pattern matching each character will
validate the SQL string by character by character from
the left to right.
• Step 3: During the pattern matching technique, each
pattern is equally compared with stored anomaly
pattern, also all these patterns are stored in the static
pattern list.
• Step 4: Static pattern list is the repository of anomaly
patterns.
• Step 5: If the SQL statement is affected and pattern is
note matched by the stored anomaly pattern list
application will reject the login process.
134
C. Dynamic Phase checking Steps -
• Step 1: If the pattern does not match, then this
scheme calculates anomaly score value of the user
generated query for each pattern in the static pattern
list.
• Step 2: If this value is greater than the threshold
value, an alarm is generated and the query is
transferred to the administrator.
• Step 3: The administrator analyses query manually
to check whether it is affected by SQLIA or not.
• Step 4: If application affected by SQLIA, the pattern
is generated and appended to the static pattern list as
shown in Figure 2.
• Step 5: going on
IV. SQL INJECTION ATTACK (SQLIA) MODEL
A. Web Application Architecture:
Figure 3, shows the 3-tier architecture of the web
application, namely presentation tier, Application tier and
database tier. Middle tier will provide all services requested
by the users/ clients, basically application tier may contain
web or application server along with business logics, so
that any specific user of the application can fetch the
response from data base server. Once the request received
from business logic, that service sent to data server it
checks that particular data and sent back to the middle tier,
and finally fetches to user.
Figure 3: Architecture of 3-Tier Web Application Structure
B. SQL Injection Attack (SQLIA) with example:
SQL Injection Attack (SQLIA) occurs when an attacker
intended to change the developer structure of an SQL
command, where attacker insert malicious code like, new
SQL keywords or operators.
SQL statement Structure:
SQL statements comprise of many elements, like
keywords, identifiers, operators, literals and punctuation
marks or symbols, etc.
https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 7, July 2019

• Basic clauses of SQL statement are, SELECT,
FROM, WHERE, GROUP BY, ALTER BY,
HAVING;
• predicates (e.g. loginName = ‘adam’);
• expressions (as in ‘adam’ OR 1=1) shown in
Figure 4.
If an attacker fetches ‘or 0=0’ as the username and
password, then the sql query can be constructed as:
String SQLQuery =”SELECT Username, Password
FROM users WHERE Username=” or 0=0” AND
Password=” or 0=0”;

C. Categories of SQLIA
An intruder will normally exploit the expression part
(injection spot) of the predicate after the WHERE clause Attacker or hacker uses many SQLIA techniques to
used to control the results of data requested from the execute the vulnerable code in the web application.
database including updating the database. Generally, SQLIA can be divided into four categories,
namely,
A tautological SQLIA type (e.g., ‘a’=’a’ or 1=1)
maliciously embedded in expression to return all the data ™ SQL Manipulation,
beyond the valid scope defined by the developer, likewise a ™ Code Injection,
full SQL query inserted into the SQL element’s expression ™ Function Call Injection,
spot. In applying predictive analytics, we analyzed the ™ Buffer Overflow.
predicate and expression for SQLIA signatures. i.e.
SQL manipulation is the technique to use build-in func-
tion to alter the SQL statements.
Code injection is when attacker inserts new vulnerable
SQL statements.
Function call injection is the method of inserting an
SQL function call into vulnerable SQL statements which
D. Types of SQLIA’s:
Various types of SQLIAs are used by the attacker are,

™ Tautologies,
™ Piggy backed queries attack,
™ Union attack,
™ Illegal incorrect queries,
™ Inference based attack,
™ Alternate encodings and
™ Stored procedures
Figure 4: Query String with SQL Statements
Table1 encapsulates the various types of SQLIA’s
parameters, like category, working methods and examples
Let us take on JDBC example – of SQL statements, etc.

135 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 7, July 2019

TABLE 1- ENCAPSULATION OF SQLIA TYPES WITH EXAMPLES

Type of
Sl No Category Working Method Example
Attack

In tautology attack, malicious code

is injected as conditional statements.
Tautologies manipulati select * from users
on of
1 SQL where username = ‘manju’ OR
result is true.
‘1’ = ‘1’
In piggy backed queries attack,
attacker injects an separate query to the
Piggy Code valid sql statement. select * from users
backed injection
queries where username = “; INSERT INTO
attack users VALUES(‘anything’,’1536’)--
2 result is generated when first
query is executed.
Code Union query is nothing but joining
injection of two independent SQL queries, where
attacker use UNION operation to join select * from users
+ those SQL queries.
Union where username = “UNION SELECT
query SQL SUM (USERNAME) from users BY user id
3 manipulat
ion result is an extracted data of other having 1 = ‘1’ and password = ‘kanaka’.
table.

Attacker extract the schema of

database by injecting the wrong query
into the web application. select * from users
Illegal SQL where username = Having 1 = ‘1’ and
incorrect manipulat password = ‘kanaka’
4 queries ion Result is an error but it contains
important information about the
database.
Code Here attacker extract the http://victim/listproducts.asp?cat=books’
injection information by inquire the server by or ‘1’ = ‘1’.
Inferenc with true false questions.
e based
5 attack Buffe
r overflow select * from products where category =
‘books’ OR ‘1’ = ‘1’;
Alternat SQL It aims to secure defensive coding and automated preventive mechanisms.
e encodings manipulat
6 ion
Stored Code Attacker executes SQL statements by using malicious code.
procedures injection
7

V. EXPERIMENTAL SETUP AND RESULT
ANALYSIS
Table 2 shows the comparative analysis between
various techniques used by attacker (AMNESIA,
SQLCHECK, CANDID, Automated approach, Tautology
checker, SQLrand, SQLDOM, CSSE, WebSSARI) and
various types of attacks (tautology, logically incorrect
queries, union query, stored procedure, piggy backed
queries, inference attack, alternate encodings).
SQLIA detection can be done by checking anomalous
SQL query structure using string matching, pattern
matching and query processing.
From the comparative analysis in Table 2, it is to be
found that WebSSari technique is able to prevent all types
of SQLIA in a web application, so from our analysis,
WebSSARI technique is considered to be the best
technique among all the approaches.
‘√’ sign denotes, if technique is able to detect or
prevent the attack.
‘×’ sign denotes, if technique is not able to detect or
prevent the attack.

136 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 7, July 2019

Table 2 - Types of Attacks with Detection & prevention of SQLIA

Sl No. Detection and Tautology Logically Union Stored Piggy Inference Alternate
Prevention incorrect query procedure backed attack encodings
queries queries
Techniques
1 AMNESIA √ √ √ × √ √ √
2 SQLCHECK √ √ √ × √ √ √
3 CANDID √ × × × × × ×
Automated
4 √ √ √ × √ √ ×
approach
Tautology
5 √ × × × × × ×
checker
6 SQLrand √ × √ × √ √ ×
7 SQLDOM √ √ √ × √ √ √
8 CSSE √ √ √ × √
9 WebSSARI √ √ √ √ √ √ √

A. Testing of SQLIA
By using Java environment, we implemented a JDBC
application with MySQL data base package, along with
various SQLIA Tools and techniques tester and debugger
are defined in different classes for validating the queries
that cause vulnerabilities to detect and prevented.
Figure 5 – 8 shows the sample intended vulnerability in
a web application, so that user can detect and prevent Figure 8- vulnerability in an application
SQLIA.

VI. CONCLUSION
Web applications are the tools to share and display their
personnel or self-valuable information to access in
worldwide network from anywhere. SQL Injection is a
Figure 5- Login application
severe security concern over web applications.
Due to the creative and dynamic SQLIA methods and
techniques, users can save their valuable, integral and
confidential data in the web site to save their market
stability towards their self as well as social enrichment. In
this paper author studied and analyzed many techniques to
detect and prevent SQLIA. Where Pattern matching
techniques will be the best solution to detect and prevent
SQLIA, but this approach needs to be learn and
Figure 6- Accessing web application without vulnerability
implemented effectively, then only we get intended best
solution regarding detection and prevention of SQLIA.

REFERENCES
[1] Balasundaram I, Ramaraj E. An approach to detect and prevent SQL
injection attacks in database using web service. International Journal
of Computer Science and Network Security (IJCSNS). 2011 Jan;
Figure 7- Intended to make web application vulnerable 11(1):197– 205.
[2] Top 10 2010-Main, OWASP top 10 application security risks – 2010
[Internet]. 2010 [updated 2016 Dec 12; cited 2010 Apr 26].
[3] Anley C. Advanced SQL injection In SQL server applications. Next
Generation Security Software Ltd; 2002. p. 1–25.

137 https://sites.google.com/site/ijcsis/
ISSN 1947-5500
 International Journal of Computer Science and Information Security (IJCSIS),
Vol. 17, No. 7, July 2019

[4] McDonald S. SQL injection: modes of attack, defense, and why it

matters. GovernmentSecurity.org; 2002 Apr. p. 1–32.
[5] Medhane MHASP. Efficient solution for SQL injection attack
detection and prevention. International Journal of Soft Computing
and Engineering (IJSCE). 2013 Mar; 3(1):395–8.
[6] William GJH, Orso A. Preventing SQL injection attacks using
AMNESIA. In the Proceedings of the Association for Computing
Machinery (ACM) 28th international Conference on Software
Engineering, Shanghai, China; 2006 May 20–28. p. 795–8.
[7] Su Z., Wassermann G. The essence of command injection attacks
in web applications. In the Proceedings of the 33rd
[8] Haripriya Rana and Shelly Sachdeva, Analysis of SQL Injection
Detection and Prevention ,Indian Journal of Science and
Technology, Vol 10(30), August 2017
[9] Sudhakar Choudhary, Arvind Kumar Jain, Anil Kumar, A Detail
Survey on Various Aspects of SQLIA, International Journal of
Computer Applications, Volume 161 – No 12, March 2017
[10] Manjunath K M, Dr M Kempanna, A Survey on Web Security
MechanismsUsing Vulnerability and Attack Injections,
International Journal of Science and Research(IJSR), Volume
7,Issue 8, August 2018.

138 https://sites.google.com/site/ijcsis/
ISSN 1947-5500