SQL Injection - Database Attack Revolution And Prevention

AuthorRamakanth Dorai - Vinod Kannan
PositionComputer science and engineering, S.N.S College Of Technology-Coimbatore - Computer science and engineering, S.N.S College Of Technology-Coimbatore
Pages224-231
JICLT
Journal of International Commercial Law and Technology
Vol. 6, Issue 4 (2011)
224
SQL Injection-Database Attack Revolution and Prevention
Ramakanth Dorai
Computer science and engineering
S.N.S College Of Technology-Coimbatore
Playhard89@gmail.com
Vinod Kannan
Computer science and engineering
S.N.S College Of Technology-Coimbatore
fast2fortune@gmail.com
Abstract. SQL injection came with a bang and caused revolution in database attacking. In
recent years, with the explosion in web-based commerce and information systems, databases have
been dra wing ever closer to the network and it is critical part of network security. This paper is
incorporated with our resear ch and firsthand experience in hacking t he database by SQL injection.
Database is the Storage Brain of a website. A hacked database is the source for Passwords a nd
juicy information like credit ca rd number, bank account number and every important thing t hat are
forbidden. Importance should be given for preventing database exploitation by SQL injection. The
aim of this paper is to crea te awareness among web developers or database a dministrators about
the urgent need for database security. Our ultimate objective is to totally eradicate the whole
concept of SQL injection and to avoid this technique becoming a pla ything in hands of exploiters.
1. Introduction
Exploiting the security vulnerability found in the application's database layer and penetrating into the data base
using SQL codes is known as SQL injection. T his cod e injection technique fools the database application and
gains illegal access. The effect of a successful SQ L injection is dreadful. Nearly 1 lakh websites were hacked in
2008 alone. Most of the sites that were compromised were government website s of many nations. We have
found that nearly 65 percentage government websites of developing cou ntries are vulnerable. This clearly depicts
the need for avoiding SQL injection. Web developers and database administrators should know the d evastating
consequence of this attack and should consider implementing our suggested prevention methods. This paper
starts with the different present forms of SQL injection by hackers a nd demonstrates with example how they
carry out the attack. Ignorance of administrators on current protection systems have brought us to this situation.
We have given our suggested pr evention method in accordance with current scenario after extensive references
and discussion with security experts and underground hackers.
2. Forms of SQL Injection Vulnerabilities
2.1 Incorrectly filtered escape characters
When the user input that is used in a SQL statement is not filtered for escap e characters, then this for m of SQL
injection takes place. Consider this sample SQL code which displa ys us the records of the specified username,
statement = "SELECT * FROM customers WHERE name = '" + c ustomerName + "';"

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT