Abstract

Web applications are widely using nowadays. In these web applications, most of those that are based on money transaction like on-line baking, e-shopping, on-line bill payment, Money transfer, etc. The interaction between the web applications and Database is done with Structured Query Language (SQL) and Scripting Language is used. These queries keep sensitive or personal information of various users. So it is necessary to maintain confidentiality from unauthorized access. SQL injection Attack (SQLIA) is the most common type of vulnerability in which crafted query is inserts as input for retrieving personal information about other users. In this paper, various detection and prevention techniques of SQL injection attacks are described and perform a comparison between them.

References

• Diksha G. Kumar, Madhumita Chatterjee “Detection Block Model for SQL Injection Attacks” I.J. computer Network and Information Security, 2014
• Bojken Shehu, Aleksander Xhuvani “A literature Review and comparaative analysis on SQL injection: Vulnerabiities, attacks and their detection and prevention Techniques” International Journal of Computer Science Issues, Vol 11,Issue 4, no1 2014
• Geogiana Buja, Dr. Kamarularifin Bin Abd Jalil, Dr. Fakariah Bt. Hj Mohd Ali, The Faradilla Abdul “Detection model for SQL Injection Attack: An approach for preventing a web application from the SQL injection Attack”IEEE Symposium on Computer Applications and Industrial Electronics, April 2014
• Nuno Seixas, Marco Vieira, Jose Fonseca, Henrique Madeira “Analysis of field data on web security vulnerabilities ”IEEE Transactions on Dependable and secure computing Vol. 11 No.2 March/Aril 2014
• Hossaian Shahriar, Mohammad Zulkernine, “Information Theoretic Detection of SQL Injection Attacks” International Symposium on high-Assurance systems Engineering, IEEE 2014
• Hussein AlNabulsi, Izzat Alsmadi,, Mohammad Al-Jarrah “Textual Manipulation for SQL Injection attack” I.J. computer Network and Information Security, 2014
• Monali R. Boradel, Neeta A. Despande “Extensive Review of SQLIA’s Detection and Prevention Techniques” International Journal of Emerging Technology and Advanced Engineering ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 10, October 2013
• Shelly Rohilla, Pradeep Kumar Mittal “Database Security by Preventing SQL Injection Attacks in Stored Procedure” Journal of Advanced Research in Computer Science and software Engineering Volume 3, Issue 11 November 2013.
• Jaskanwal Minhas Raman Kumar “Blocking of SQL Injection attack by Comparing Static and Dynamic queries” International Journal of computer network and Information Security 2013
• Mihir Gandhi, Jwalant Baria “SQL INJECTION Attacks in Web application”International Journal of Soft Computing and Engineering (IJSCE) ISSN: 2231-2307, Volume-2, Issue-6, January 2013”
• Srinivas Avireddy, Varalaxhmi perumal, Narayan Gowraj, Ram Srivastava Kannan“Random4: An Application Specific Randomized Encryption Algorithm to prevent SQL Injection” 11th International conference on trust, Security and privacy in computing and communications IEEE 2012.
• Atefeh Tajpour, Suhaimi Ibrahim, Mohammad Sharifi “Web Application security by SQL Injection Detection tools” International Journal of Computer science Issue, Volume 9 Issue 2 No 3 March 2012
• Neha Singh, Ravindra Kumar Purwar “SQL Injections – A Hazard to web application” International Journal of Advanced Research in computer Science and Software Engineering Volume 2, Issue 6, June 2012
• Iyano Alessandro Elia, Jose Fonseca and Marco Vieira “Computing SQL Injection Detection Tools Using Attack Injection: An Experimental study” IEEE International Symposium on software reliability Engineering 2012
• Kanchana Natrajan, Sarala Subramani “Generation of SQL injection free secure algorithm to detect and prevent SQL Injection attack” ELESE VIER C3IT-2012
• Inyong Lee, Soonki Jeong, Sangsoo Yeo, Jongsub Moon “A novel method for SQL Injection attack detection based on removing SQL Query attribute values”, ELSEVIER 2012.
• Qian XUE, Peng HE “On Defence and Detection of SQL Server Injection Attack” IEEE 2011
• Jie Wang, Raphael C.W. Phan, John N Whitley, David J. Parish “Augmented Attack Tree Modelling of SQL Injection Attacks” IEEE 2010
• Atefeh Tajpour, Maslin Masrom, Suhaimi Ibrahim, Mohammad Sharifi “SQL injection detection and prevention Tools Assessments” IEEE 2010.
• Ntagwabira Lambert, Kang Song Lin “Use of Query Tokenization to detect and prevent SQL Injection attacks” IEEE 2010
• J. Fonseca, M. Vieira, and H. Madeira, “The web Attacker Perspective –A Field study” IEEE 2010.
• Michelle Ruse, Tanmoy Sarkar, Samik Basu“Analysis and Detection of SQL Injection Vulnerabilities via Automatic Test Case Generation of Programs”. Annual International Symposium on application and the Internet. 2010
• Nuno Auntunes, Nuno Laranjeiro, Marco Vieira, Henrique Madeira “Effective detection of SQL /X Path Injection Vulnerabilities in web services” IEEE International conference on services computing 2009.
• A. Roichman E. Gudes, “DIWeDa –Detecting Intrusions in Web Databases”. Vol. 5094, pp. 313-329 Springer Heidelberg 2008J. Fonseca and Marco Vieira “Mapping software fault with web security vulnerabilities” IEEE conference on dependable system and network, June 2008
• J. Fonseca and Marco Vieira and Henrique Madeira “Training Security Assurance Team using Vulnerability Injection” IEEE Pacific Rim Dependable Computing, December 2008
• P. Grazie “SQL Prevent Thesis” University of Columbia, Vancouver, Canada 2008
• Prithvi Bisht, P. Madhusudan, V N. Venkatraman, Sruthi Bandhakavi “CANDID Preventing SQL injection Attack using Dynamic Candidate Evaluations” ACM Transactions on Information and Security (TISSEC) October/November 2007
• Fonseca, J. Vieira, M. Madeira, “H. Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks” IEEE Dec. 2007.
• J. Duraes, H. Madeira “Emulation of software faults: A field study and practical approach” IEEE transaction vol. 32 no.11 pages 849-867 November 2006
• T. Pietraszek, C. V. Berghe. “Defending against Injection Attacks Trough Context-Sensitive String Evaluation” Recent Advanced in Intrusion Detection Volume: 3858, 2006
• William G. Halfond and Alessandro Orso “AMNESIA: Analysis and Monitoring for NEutrializing SQL Injection Attacks” pages 22-28 St. Louis, MO, USA, May 2005
• McClure and I. H. Kruger, “SQL DOM: Compile time checking and dynamic SQL statements” Software Engineering ICSE 2005.
• Yao-Wen Huang, Fang Yu, Christian Hang, Chuang Hang, Tsai, D.T. Lee, Sy-Yen Kuo “Securing Web Application Code by Static Analysis and Runtime Protection” 13th conference on World wide web in ACM New York USA 2004.
• Y. Huang S. Huang T. Lin and C. Tsai, “Web Application security Assessment by Fault Injection and Behavior" In Proceeding of the 11th International World Wide Web Conference, May 2003.