Research On SQL Injection Attack and Prevention Technology Based On Web
Research On SQL Injection Attack and Prevention Technology Based On Web
Abstract—This SQL injection attack is one of the common containing unfiltered user input. Hackers can get access to
means for hackers to attack database. With the development of the website database through the SQL injection attack, and
B/S mode application development, more and more then they can get all the data in the website database.
programmers use this mode to write applications. However, Malicious hackers can tamper with the data in the database
due to the uneven level and experience of programmers, a through the SQL injection function and even destroy the data
considerable number of programmers do not judge the in the database. As a web developer, you hate this kind of
legitimacy of user input data when writing code, which makes hacking. It's necessary to understand the principle of SQL
the application security risks. Users can submit a database injection and learn how to protect your website database by
query code and get some data they want to know according to
code.
the results of the program. SQL injection attack belongs to one
of the means of database security attack. It can be effectively II. SQL INJECTION PRINCIPLE
protected by database security protection technology. This
paper introduces the principle of SQL injection, the main form SQL injection can enable an attacker to bypass
of SQL injection attack, the types of injection attack, and how authentication mechanism and completely control the
to prevent SQL injection. Discussed and illustrated with database on the remote server. SQL is the abbreviation of
examples. Structured Query Language. It is the fact standard of
accessing database. At present, most Web applications use
Keywords-Component; SQL;WEB; Injection Attack; SQL database to store application data. Almost all Web
Prevention Technology applications use some kind of SQL database in the
background. Like most languages, SQL syntax allows
I. WHAT IS SQL INJECTION database commands to be mixed with user data. If
developers are not careful, user data can be interpreted as
The so-called SQL injection is to cheat the server to
commands, so that remote users can not only input data to
execute malicious SQL commands by inserting SQL
Web applications, but also execute arbitrary commands on
commands into the query string of Web form submission or
the database.
input domain name or page request. For example, many
previous video websites leaked VIP membership passwords A. There are two main forms of SQL injection attacks
mostly by submitting query characters via WEB form, which 1) One is to insert the code directly into the user input
is particularly vulnerable to SQL injection attacks when the variables that are concatenated with the SQL command and
application program. SQL injection attacks occur when made to execute. The example given above is the adoption of
dynamic SQL statements are constructed using input content this method. Because it is directly bound with SQL
to access the database. SQL injection also occurs if the code statements, it is also called direct injection attack method.
uses stored procedures, which are passed as strings
177
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on December 11,2023 at 08:08:51 UTC from IEEE Xplore. Restrictions apply.
measure the page load time to determine whether the injected Select SQL-Infection, enter "1'or 1 = 1--" in the input box,
statement is true or not. and click "Submit" to get user information with ID 1, as
shown in Figure 4.
IV. EXAMPLES OF SQL INJECTION
SQL injection format: HTTP://xxx.xxx.xxx/abc.asp?
Id=YY and other parameters in ASP dynamic web pages
A. Digital SQL Injection
Id=YY', abc. ASP runs abnormally
Id=YY and 1=1 are the same as id=YY pages
Unlike id=YY page, id=YY and 1=2 has an exception
B. Character-based SQL injection
Id=YY', abc. ASP runs abnormally;
Id=YY and'1=1'are the same as id=YY pages
Unlike id=YY pages, id=YY and'1=2' have an exception Figure 4. Input Ā1’ or 1=1-- ” to get user information
Examples: http://193.168.1.10/dvwa/login.php, open
DVWA, DVWA software is a WEB vulnerability testing Try to get the database information, enter 1'and 1=2
program for conventional WEB vulnerability teaching and union select version (), database () --, and click "Submit" in
detection, account admin, password admin, as shown in the input box, as shown in Figure 5.
Figure 1.
Figure 5. Input Ā1'and 1=2” to get user information
Figure 6. Viewable database name
178
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on December 11,2023 at 08:08:51 UTC from IEEE Xplore. Restrictions apply.
V. HOW TO PREVENT SQL INJECTION? to build forms and vulnerable websites. The results of the
The reason of SQL injection is that the SQL statements search become a list of targets for SQL injection attacks.
are not written properly and special characters are filtered in Then, the Trojan Horse will launch SQL injection attacks on
the process of program development. As a result, the client these sites, making some sites under ontrol and destruction.
can submit some SQL statements through global variables Users visiting these controlled and destroyed sites will be
POST and GET to execute normally, The methods to prevent tricked into downloading a malicious piece of JavaScript
SQL injection are as follows: code from another site. Finally, this code guides users to the
Open the magic_quotes_gpc and magic_quotes_runtime third site, where there are more malware, such as Trojan
settings in the configuration file, Use add slashes to convert horses stealing passwords.
SQL statements when executing SQL statements, Sql ACKNOWLEDGMENT
statement writing should not omit small quotation marks and
single quotation marks as far as possible, filter out some This Project Supported by the National Natural Science
keywords in SQL statements: update, insert, delete, select,.*, Foundation of China˄No.61672206˅
Improving the naming skills of database tables and fields, This Project Supported by the National Natural Science
naming some important fields according to the Youth Foundation of China (No.61703136)
characteristics of the program, which is difficult to guess. Set Author 1:
register_globals to off in the Php configuration file to close Limei Ma, Associate Professor, Hebei Normal University,
global variable registration. Control error information, do not Dominican University of America visiting scholars, research
output error information on the browser, write error field: cyber security, information technology and artificial
information to the log file. Filter out some common database neural network
operation keywords: select, insert, update, delete, and *, or Correspondence Author:
filter through system function: addslashes (content that needs Dongmei Zhao, Professor, Hebei Normal University,
to be filtered). research field: cyber security, information technology
Register_globals = off in the PHP configuration file; the Author 3:
registered global variable is closed when set to close Yijun Gao, Associate Professor, Dominican University,
state//action. For example, the value of a POST form is Research fields: social media and emerging technologies,
received using $_POST ['user'], if register_globals = on; the competitive intelligence, crisis management
value of a form can be received directly using $user. When Author 4:
writing SQL statements, try not to omit small quotation Chen Zhao, Associate Professor, Hebei Normal
marks (the one above the tab key) and single quotation University, research field: cyber security, data mining
marks. Improve database naming skills, for some important
fields according to the characteristics of the program naming,
not easy to guess. Encapsulate common methods to avoid REFERENCE
direct leaking of SQL statements. Open the PHP security [1] Shen Qingni, Qingsi. Operating system security design. Beijing:
mode Safe_mode=on; Open magic_quotes_gpc to prevent Machinery Industry Press, 2013.
SQL from being injected into Magic_quotes_gpc=off; the [2] Yu Chaohui, Wang Changzheng, Zhao Yicheng. Practical Treasure
default is closed, it will automatically convert the query of Book of Network Security System Protection and Hacker Attack and
Defense. Beijing: China Railway Publishing House, 2013.
the SQL statement submitted by the user after opening,
which will play an important role in preventing SQL [3] Ma Limei, Wang Fangwei. Computer Network Security and
Experimental Course, tsinghua university
injection. So open: magic_quotes_gpc=on; Control error press,ISBN:9787302439332
information Close the error message and write it to the [4] Ma Limei,GuoQing,ZhangLinwei Ubuntu Linux operating system
system log. Pretreatment with mysqli or pdo. and Experimental Course, tsinghua university
press,ISBN:9787302438236
VI. CONCLUSION [5] Zhang shengcai,Zhoushuhui,SQL Injection Attack Prevention
SQL injection attackers are smarter and more Technology Based on Improved Pattern Matching Algorithms,
Technology Innovation and Application,2017,35
comprehensive in finding vulnerable websites. There are
[6] Dong Zhenliang. Application of cryptographic algorithms and
some new methods of SQL attack. Hackers can use various international standardization [D]. Financial Information Center of the
tools to speed up the process of exploiting vulnerabilities. People's Bank of China, 2018.
Let's take a look at the Asprox Trojan, which is spread [7] Zhou Yinqing, Ouyang Zichun. Brief discussion on the
mainly through a botnet that publishes mail. The whole implementation and management of information system security level
process of its work can be described as follows: First, the protection evaluation [D]. Digital Communication World, 2018.
Trojan is installed on the computer through spam sent by the [8] Liang Lixin and Li Jun. Information Security Level Protection
controlled host. Then, the computer infected by the Trojan Evaluation Based on Virtualization [D]. Police Technology, 2014
will download a binary code, and when it starts, it will use [9] Wubin,Liu Dun. SQL Injection Attack and Vulnerability Detection
search. Index engine search uses Microsoft's ASP technology and Prevention Technology[D].Network Security Technology &
Application,2017
179
Authorized licensed use limited to: INDIAN INSTITUTE OF TECHNOLOGY ROORKEE. Downloaded on December 11,2023 at 08:08:51 UTC from IEEE Xplore. Restrictions apply.