0% found this document useful (0 votes)
137 views4 pages

Research On SQL Injection Attack and Prevention Technology Based On Web

This document summarizes research on SQL injection attacks and prevention technologies for web applications. It introduces the principle of SQL injection, describes the main forms of SQL injection including direct and indirect attacks. It also discusses the types of SQL injection attacks such as incorrect filtering of escape characters. The document aims to help web developers understand and protect against SQL injection vulnerabilities.

Uploaded by

Abhinav Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
137 views4 pages

Research On SQL Injection Attack and Prevention Technology Based On Web

This document summarizes research on SQL injection attacks and prevention technologies for web applications. It introduces the principle of SQL injection, describes the main forms of SQL injection including direct and indirect attacks. It also discusses the types of SQL injection attacks such as incorrect filtering of escape characters. The document aims to help web developers understand and protect against SQL injection vulnerabilities.

Uploaded by

Abhinav Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

2019 International Conference on Computer Network, Electronic and Automation (ICCNEA)

Research on SQL Injection Attack and Prevention Technology Based on Web

Limei Ma Yijun Gao


1.
College of Computer and Cyber Security School of Information Studies
Hebei Normal University Dominican University
Shijiazhuang, CHINA River Forest, USA
2.
Key Laboratory of Network and Information Security in E-mail: [email protected]
Hebei Province, Shijiazhuang, CHINA
3.
School of Information Studies
Dominican University
River Forest, USA
E-mail: [email protected]

Dongmei Zhao* Chen Zhao


1.
1.
College of Computer and Cyber Security College of Computer and Cyber Security
Hebei Normal University Hebei Normal University
Shijiazhuang, CHINA Shijiazhuang, CHINA
2.
2.
Key Laboratory of Network and Information Security in Key Laboratory of Network and Information Security in
Hebei Province, Shijiazhuang, CHINA Hebei Province, Shijiazhuang, CHINA
E-mail: [email protected] E-mail: [email protected]

Abstract—This SQL injection attack is one of the common containing unfiltered user input. Hackers can get access to
means for hackers to attack database. With the development of the website database through the SQL injection attack, and
B/S mode application development, more and more then they can get all the data in the website database.
programmers use this mode to write applications. However, Malicious hackers can tamper with the data in the database
due to the uneven level and experience of programmers, a through the SQL injection function and even destroy the data
considerable number of programmers do not judge the in the database. As a web developer, you hate this kind of
legitimacy of user input data when writing code, which makes hacking. It's necessary to understand the principle of SQL
the application security risks. Users can submit a database injection and learn how to protect your website database by
query code and get some data they want to know according to
code.
the results of the program. SQL injection attack belongs to one
of the means of database security attack. It can be effectively II. SQL INJECTION PRINCIPLE
protected by database security protection technology. This
paper introduces the principle of SQL injection, the main form SQL injection can enable an attacker to bypass
of SQL injection attack, the types of injection attack, and how authentication mechanism and completely control the
to prevent SQL injection. Discussed and illustrated with database on the remote server. SQL is the abbreviation of
examples. Structured Query Language. It is the fact standard of
accessing database. At present, most Web applications use
Keywords-Component; SQL;WEB; Injection Attack; SQL database to store application data. Almost all Web
Prevention Technology applications use some kind of SQL database in the
background. Like most languages, SQL syntax allows
I. WHAT IS SQL INJECTION database commands to be mixed with user data. If
developers are not careful, user data can be interpreted as
The so-called SQL injection is to cheat the server to
commands, so that remote users can not only input data to
execute malicious SQL commands by inserting SQL
Web applications, but also execute arbitrary commands on
commands into the query string of Web form submission or
the database.
input domain name or page request. For example, many
previous video websites leaked VIP membership passwords A. There are two main forms of SQL injection attacks
mostly by submitting query characters via WEB form, which 1) One is to insert the code directly into the user input
is particularly vulnerable to SQL injection attacks when the variables that are concatenated with the SQL command and
application program. SQL injection attacks occur when made to execute. The example given above is the adoption of
dynamic SQL statements are constructed using input content this method. Because it is directly bound with SQL
to access the database. SQL injection also occurs if the code statements, it is also called direct injection attack method.
uses stored procedures, which are passed as strings

978-1-7281-3977-7/19/$31.00 ©2019 IEEE 176


DOI 10.1109/ICCNEA.2019.00042
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on December 11,2023 at 08:08:51 UTC from IEEE Xplore. Restrictions apply.
2) The second is an indirect attack, which injects numeric field is used in an SQL statement, this attack occurs
malicious code into strings to be stored in tables or as if the programmer does not check the validity of user input
original documents. The stored string is connected to a (whether it is numeric or not). For example:
dynamic SQL command to execute some malicious SQL Statement: = "SELECT * FROM data WHERE id = +
code. The injection process works by terminating the text a_variable +";
string ahead of time and then appending a new command. As can be seen from this statement, the author expects a
Take direct injection attack as an example. When a user variable to be a number related to the "id" field. However, if
enters a variable, the current statement is terminated with a the end user chooses a string, the need for escape characters
semicolon. Then insert a malicious SQL statement. Since the is bypassed. For example, set a variable to: 1; DROP
inserted command may append other strings before TABLE users, which will delete the "users" table from the
execution, attackers often terminate the injected string with database, and the SQL statement becomes: SELECT *
the comment mark "-". When executed, the system will think FROM DATA WHERE id = 1; DROP TABLE users;
that the statement bit annotations will follow, so the
subsequent text will be ignored and can’t be compiled and C. Vulnerabilities in database servers
executed. Sometimes, there are vulnerabilities in database server
software, such as mysql real_ escape _string() function
III. TYPES OF SQL INJECTION ATTACKS vulnerability in MYSQL server. This vulnerability allows an
attacker to perform a successful SQL injection attack based
A. The escape character is not filtered correctly on incorrect unified character encoding.
This form of injection attack occurs when the user's input D. Blind SQL Injection Attack
is not filtered for escape characters, and it is passed to an
SQL statement. This will result in the end user of the When a Web application is vulnerable to attack and the
application manipulating the statements on the database. For result is not visible to the attacker, a so-called blind SQL
example, the following line of code demonstrates this injection attack occurs. Vulnerable pages may not display
vulnerability: data, but display different content based on the results of
Statement: = "SELECT * FROM users WHERE name logical statements injected into legitimate statements. This
='" + userName + ";" attack is time-consuming because a new statement must be
The purpose of this code is to extract a particular user carefully constructed for each byte acquired. But once the
from its user table, but if the user name is forged by a location of the vulnerability and the location of the target
malicious user in a specific way, the operation performed by information are established, a tool called Absinthe can
this statement may not be just what the author of the code automate this attack.
expects. For example, set the username variable to: E. Conditional response
'a'or't'='t, when the original statement changes:
SELECT * FROM users WHERE name ='a'OR't'='t'; Note that there is an SQL injection that forces the
If this code is used in an authentication process, this database to compute the value of a logical statement on a
example can force the selection of a legitimate username, common application screen:
because assigning 't'='t is always correct. SELECT booktitle FROM booklist WHERE bookId
On some SQL servers, such as in SQL Server, any SQL ='00k14cd'AND 1 = 1
command can be injected in this way, including executing This leads to a standard face, while the statement
multiple statements. The value of username in the following SELECT booktitle FROM booklist WHERE bookId
statement will result in the deletion of the "users" table and ='00k14cd'AND 1 = 2
the selection of all data from the "data" table (which in fact When a page is vulnerable to SQL injection attacks, it
reveals the information of each user). may give a different result. Such a single injection will prove
a'; DROP TABLE users; SELECT * FROM data that blind SQL injection is possible, and it will enable an
WHERE name LIKE'% attacker to design statements that can judge authenticity
This makes the final SQL statement look like the based on the content of a field in another table.
following: F. Conditional errors
SELECT * FROM users WHERE name ='a'; DROP
If the WHERE statement is true, this type of blind SQL
TABLE users; SELECT * FROM DATA WHERE name
injection forces the database to judge a statement that causes
LIKE'%';
an error, resulting in an SQL error. For example:
Other SQL executions do not take executing multiple
SELECT 1/0 FROM users WHERE username='Ralph'.
commands in the same query as a security measure. This
Obviously, if Ralph exists, dividing by zero will lead to
prevents an attacker from injecting a completely independent
errors.
query, but doesn’t prevent an attacker from modifying the
query. G. Time Delay
B. Incorrect type handling Time delay is a kind of blind SQL injection. According
to the logic injected, it can cause the SQL engine to execute
This form of attack occurs if a user-supplied field is not
a long queue or a time delay statement. An attacker can
of a strong type, or if type coercion is not enforced. When a

177

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on December 11,2023 at 08:08:51 UTC from IEEE Xplore. Restrictions apply.
measure the page load time to determine whether the injected Select SQL-Infection, enter "1'or 1 = 1--" in the input box,
statement is true or not. and click "Submit" to get user information with ID 1, as
shown in Figure 4.
IV. EXAMPLES OF SQL INJECTION
SQL injection format: HTTP://xxx.xxx.xxx/abc.asp?
Id=YY and other parameters in ASP dynamic web pages
A. Digital SQL Injection
Id=YY', abc. ASP runs abnormally
Id=YY and 1=1 are the same as id=YY pages
Unlike id=YY page, id=YY and 1=2 has an exception
B. Character-based SQL injection
Id=YY', abc. ASP runs abnormally;
Id=YY and'1=1'are the same as id=YY pages 
Unlike id=YY pages, id=YY and'1=2' have an exception Figure 4. Input Ā1’ or 1=1-- ” to get user information
Examples: http://193.168.1.10/dvwa/login.php, open
DVWA, DVWA software is a WEB vulnerability testing Try to get the database information, enter 1'and 1=2
program for conventional WEB vulnerability teaching and union select version (), database () --, and click "Submit" in
detection, account admin, password admin, as shown in the input box, as shown in Figure 5.
Figure 1.


Figure 5. Input Ā1'and 1=2” to get user information

To get the information of the database, enter 1'and 1 = 2


union select 1, schema_name from information_schema.
Figure 1. DVWA Initial interface schemata--, and click "Submit" to view the database name,
as shown in Figure 6.
Select SQL-Infection, enter 1 in the input box and click
Submit to get user information with ID 1, as shown in Figure
2.


Figure 6. Viewable database name

Information_schema: Mysql system database, where


SCHEMATA table stores all database information, TABLES

table stores all table information, COLUMNS table stores all
Figure 2. Input 1 to get user information
column information.
Select SQL-Infection, enter "1'and 1 = 1--" in the input Get the table name in the DVWA database, enter 1'and 1
box (with a space at the end), and click "Submit" to get user = 2 union select group_concat (table_name) in the input box,
information with ID 1, as shown in Figure 3. 2 from information_schema.tables where table
schema='information.schema'#, and click "Submit", as
shown in Figure 7.

Figure 3. Input Ā1’ and 1=1-- ” to get user information



Figure 7. Get the table name in the DVWA database

178

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on December 11,2023 at 08:08:51 UTC from IEEE Xplore. Restrictions apply.
V. HOW TO PREVENT SQL INJECTION? to build forms and vulnerable websites. The results of the
The reason of SQL injection is that the SQL statements search become a list of targets for SQL injection attacks.
are not written properly and special characters are filtered in Then, the Trojan Horse will launch SQL injection attacks on
the process of program development. As a result, the client these sites, making some sites under ontrol and destruction.
can submit some SQL statements through global variables Users visiting these controlled and destroyed sites will be
POST and GET to execute normally, The methods to prevent tricked into downloading a malicious piece of JavaScript
SQL injection are as follows: code from another site. Finally, this code guides users to the
Open the magic_quotes_gpc and magic_quotes_runtime third site, where there are more malware, such as Trojan
settings in the configuration file, Use add slashes to convert horses stealing passwords.
SQL statements when executing SQL statements, Sql ACKNOWLEDGMENT
statement writing should not omit small quotation marks and
single quotation marks as far as possible, filter out some This Project Supported by the National Natural Science
keywords in SQL statements: update, insert, delete, select,.*, Foundation of China˄No.61672206˅
Improving the naming skills of database tables and fields, This Project Supported by the National Natural Science
naming some important fields according to the Youth Foundation of China (No.61703136)
characteristics of the program, which is difficult to guess. Set Author 1:
register_globals to off in the Php configuration file to close Limei Ma, Associate Professor, Hebei Normal University,
global variable registration. Control error information, do not Dominican University of America visiting scholars, research
output error information on the browser, write error field: cyber security, information technology and artificial
information to the log file. Filter out some common database neural network
operation keywords: select, insert, update, delete, and *, or Correspondence Author:
filter through system function: addslashes (content that needs Dongmei Zhao, Professor, Hebei Normal University,
to be filtered). research field: cyber security, information technology
Register_globals = off in the PHP configuration file; the Author 3:
registered global variable is closed when set to close Yijun Gao, Associate Professor, Dominican University,
state//action. For example, the value of a POST form is Research fields: social media and emerging technologies,
received using $_POST ['user'], if register_globals = on; the competitive intelligence, crisis management
value of a form can be received directly using $user. When Author 4:
writing SQL statements, try not to omit small quotation Chen Zhao, Associate Professor, Hebei Normal
marks (the one above the tab key) and single quotation University, research field: cyber security, data mining
marks. Improve database naming skills, for some important
fields according to the characteristics of the program naming,
not easy to guess. Encapsulate common methods to avoid REFERENCE
direct leaking of SQL statements. Open the PHP security [1] Shen Qingni, Qingsi. Operating system security design. Beijing:
mode Safe_mode=on; Open magic_quotes_gpc to prevent Machinery Industry Press, 2013.
SQL from being injected into Magic_quotes_gpc=off; the [2] Yu Chaohui, Wang Changzheng, Zhao Yicheng. Practical Treasure
default is closed, it will automatically convert the query of Book of Network Security System Protection and Hacker Attack and
Defense. Beijing: China Railway Publishing House, 2013.
the SQL statement submitted by the user after opening,
which will play an important role in preventing SQL [3] Ma Limei, Wang Fangwei. Computer Network Security and
Experimental Course, tsinghua university
injection. So open: magic_quotes_gpc=on; Control error press,ISBN:9787302439332
information Close the error message and write it to the [4] Ma Limei,GuoQing,ZhangLinwei Ubuntu Linux operating system
system log. Pretreatment with mysqli or pdo. and Experimental Course, tsinghua university
press,ISBN:9787302438236
VI. CONCLUSION [5] Zhang shengcai,Zhoushuhui,SQL Injection Attack Prevention
SQL injection attackers are smarter and more Technology Based on Improved Pattern Matching Algorithms,
Technology Innovation and Application,2017,35
comprehensive in finding vulnerable websites. There are
[6] Dong Zhenliang. Application of cryptographic algorithms and
some new methods of SQL attack. Hackers can use various international standardization [D]. Financial Information Center of the
tools to speed up the process of exploiting vulnerabilities. People's Bank of China, 2018.
Let's take a look at the Asprox Trojan, which is spread [7] Zhou Yinqing, Ouyang Zichun. Brief discussion on the
mainly through a botnet that publishes mail. The whole implementation and management of information system security level
process of its work can be described as follows: First, the protection evaluation [D]. Digital Communication World, 2018.
Trojan is installed on the computer through spam sent by the [8] Liang Lixin and Li Jun. Information Security Level Protection
controlled host. Then, the computer infected by the Trojan Evaluation Based on Virtualization [D]. Police Technology, 2014
will download a binary code, and when it starts, it will use [9] Wubin,Liu Dun. SQL Injection Attack and Vulnerability Detection
search. Index engine search uses Microsoft's ASP technology and Prevention Technology[D].Network Security Technology &
Application,2017

179

Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on December 11,2023 at 08:08:51 UTC from IEEE Xplore. Restrictions apply.

You might also like