VOL 2 .
NO 3 - 2
e-ISSN : 2549-9904
ISSN : 2549-9610
INTERNATIONAL JOURNAL ON INFORMATICS VISUALIZATION
Review of SQL Injection : Problems and Prevention Mohd Amin Mohd Yunus#.
Muhammad Zainulariff Brohan#.
Nazri Mohd Nawi #.
Ely Salwana Mat Surin*.
Nurhakimah Azwani Md Najib#.
Chan Wei Liang# # Faculty of Science Computer and Information Technology.
Universiti Tun Hussein Onn Malaysia.
Malaysia *Institute of Visual Informatic.
Universiti Kebangsan Malaysia E-mail: aminy@uthm.
my, zainulariff96@gmail.
com, nazri@uthm.
my, elysalwana@ukm.
my, nurhakimahazwani95@gmail.
weiliang246@gmail.
AbstractAi SQL injection happened in electronic records in database and it is still exist even after two decades since it first happened.
Most of the web-based applications are still vulnerable to the SQL injection attacks.
Although technology had improved a lot during these past years, but, hackers still can find holes to perform the SQL injection.
There are many methods for this SQL injection to be performed by the hackers and there is also plenty of prevention for the SQL injection to be happened.
The vulnerability to SQL injection is very big and this is definitely a huge threat to the web based application as the hackers can easily hacked their system and obtains any data and information that they wanted anytime and anywhere.
This paper can conclude that several proposed techniques from existing journal papers used for preventing SQL injection.
Then, it comes out with Blockchain concept to prevent SQL injection attacks on database management system (DBMS) via IP.
KeywordsAi Database.
DBMS.
SQL Injection
INTRODUCTION
SQL is the short form of Structured Query Language.
The usage of SQL is to interact with a database and it can manipulate the data which is stored in the database.
Database normally contains data definition language and data manipulation language for allowing result retrieval.
Meanwhile.
Injection is an action of injecting something into an organism.
SQL injection is a technique for hackers to execute malicious SQL queries on the database server.
It can be executed over a web-based application to access over the databases that contain sensitive information.
According to National Security Agency (NSA).
SQL injection is the most typically ways used by hackers, even the famous database organization MYSQL was hacked by this techniques on electronic records .
There is some vulnerability that will cause data leakage in MySQL because of the attackers accessing to the database and exposure the information or alter it.
One of the vulnerability of it is privilege escalation or called it race condition bug.
This bug allows the local system users access to the database and upgrade their privileges like change their id to 1 which can be an admin and alter or execute the information as their like.
This will give an opportunity to an attacker access to the entire database server.
The attacker might get fully compromise the target server.
Besides that, there is another vulnerability which is root privilege escalation bug.
This bug works with the previous Since the previous bug the attackers gain the privilege to access to the server and get upgrade user to administrator, the attacker can change a certain system file to a random file.
Due to the present bug, it will cause the tied to an unsafe file.
ThatAos why, the attack can change the file easily because the bug is open a backdoor for the attacker to alter the file.
Normally, the most common attack that will happen and threat the database system is the login system.
For the login page, most of the attack will try using brute force with mean that guessing the password by trying every possibility like dictionary attack is consider as a type of brute force.
Another attack is very common and use widely for attackers which is SQL injection.
SQL injection is putting '1' OR '1' = '1' into username and password.
If the system does not have any SQL injection prevention, if the attacker enter this code inside, the attacker can access to the system will authorization .
The bad consequences of this SQL injection is hacker can gain access on the database information easily.
However, this SQL Injection can be prevented by few ways.
The first approach is by using the SQL Injection Sanitizers which is used in the Directory of Useful Decoy (DUD) to detect the intervention in the web based application.
For the second approach, firewall should be provided for the SQL server.
completing this review paper, thirteen interesting journal
SQL
Study by .
, they define SQL injection as the method for hackers executes malicious SQL queries on the database server via a web based application.
They also explain about the strategy on how to fight SQL injection in the journal and the solution in fighting SQL injection.
In .
, they explained about how SQL injection works and the defensive mechanism against these threats.
As for the studies in .
, they explained about how to prevent SQL Injection on Server-Side Scripting and how to detect SQL injection attack In .
, they explained also about the prevention of SQL injection.
Database is a set of data and information which is organized so that it can be accessed, easily, handle and The data is organized into rows, column and tables and it is indexed to make it accessible to find the related data and information.
The data will get updated, enlarge and deleted as new data and information is added.
Databases process workloads to create and update itself, inquiry the data they contain and running the application against it.
With the increase in usage of the database, the regularity of attacks against those databases also increased.
Data crack are threats to every organization.
Crack damage goes beyond the actual loss of sensitive and personal information.
The risk of sensitive organizations must always step ahead in their database security to protect and secure their data and information from the attackers.
Database attacks are increasing trends nowadays.
One of the reasons is the increment of accessing the data and information which is stored in databases.
When the data had been accessed by a lot of anonymous people, the chances of the data threats is Furthermore, the database attacks are to make a lot of money by selling the sensitive information such as credit card numbers in illegal ways.
Based on my first journal .
, the journal explained about the lack awareness regarding the database security which can lead to a lot of database threats such loss of the integrity, confidentiality and availability of the data and information of the companies and etc.
From the .
, to reduce the percentage of database threats, this journal has proposed some techniques to overcome this problem such as improving the existing security system of the database.
Furthermore, in .
, the journal discussed about a detection system which is anomaly detection (AD) to detect any insiders attacks of the database which is far more dangerous from the outsider attacks.
Moreover, from .
, there are various categories of attacker such as intruder, insider, and Besides, the journal also discuss about the type of attacks which is direct attacks, indirect attacks, passive attack and active attack.
From the last journal .
, it is discussed about the database security threats in mobile and how overcome this problem.
In the database system it is compulsory to have support.
The security of the database system in mobile is much more important.
Thus, next section discusses material and method or algorithm for comparing methods according to each author.
Then, result and discussion.
Last section is conclusion for summarizing this paper.
II.
THE MATERIAL AND METHOD / ALGORITHM
The definition of the literature is the report of the information which is evaluative that found in the literature relevant to our elected area of the study.
The review should be specify, summarize, classify and interpret the literature.
The review should provide the theoretical, analytical base for the Database is depository of the most significant and valuable data and information in the company.
In the database there different of security layers which is the security officers, system administrator, database administrator, the employees and the developers.
The attacker can crack this security layers.
Some reviewed papers were studied for avoiding the attacker can crack this security layers in Table I.
TABLE I
METHODS COMPARISON BASED ON EACH AUTHORS
Reference Number Author Method Drawback Nanhay.
Mohit.
Raw, and K.
Suresh Minimize the Implementation of consistent standards and SQL server Processing Sp_executesql replace with QUOTENAME .
Managing Permissions.
Tools to detect SQL injection SQL injection extraction, preprocessing, learning model analysis for SQL injection prediction and testing and Entirely dependent on user-defined (DUD) Threshold value Filtering sending and Web It does not have node to node verified .
Vamshi.
Trinadh.
Soundabaya, and A.
Omar Krit and S.
Chitsutha Raja and Bing, .
Rhythm and Himanshu Nedhal and A.
Dana It does not have node to node verified It does not have node to node verified It does not have node to node verified It does not have node to node verified It does not have node to node verified .
Aditya and P.
N Chatur Security check model based on safety rule base Ganesh and G.
Anandhi Parviz Ghorbanzadeh.
Aytak Shaddeli.
Roghieh Malekzadeh.
Zoleikha Jahanbakhsh.
Access control, policy, user and auditing, products such as firewalls, virtual private (VPN.
and detection and (IDP) systems Role-Based Anomaly Detection .
Asmaa Sallam.
Qian Xiao.
Daren Fadolalkarim.
Elisa Bertino passive attack, clear text passwords and important data and information which can be used in other types of attack and it is also unencrypted traffic to be guide.
It is also display of information and data to the attackers beyond the permissions of the users.
The active attack is the attackers had performed many attempts to breach the secured system to get the information and data which is stored in the database.
The attack can be completed through many ways such as viruses, worm, stealth and others.
The information can be accomplished in electronically attack illegal beyond user It does not have node to node verified It does not have node to node verified It does not have node to node verified Fig 1.
Login form It does not have node to node verified Fig 2.
HTML codes for the input fields .
Based on .
, the attackers can be divided in some categories which are intruder, insider and administrator.
The meaning of an intruder is an anonymous people that have no rule to accessing a computer system in an illegal way and to get some rare data and information that stored in the database.
For the insider is not an empower people but a representative of group of trusted users and cause the violet empower people privileges and tried to get the data and information without userAos own access permissions.
An authorize people that has fully domination over the computer system, but he uses privileges of administration in illegal way to get the information of the system is an administrator.
Besides in .
also discuss about the different types of attacks which is direct attacks, indirect attacks, passive attack and active attack.
Most of the web based applications belongs to organization, universities, schools and others.
Commonly, all these web based application provide a form for the users to login into the The data which the users input can easily be exploited through SQL injection.
For example, when a teacher wants to login the school portal she first need to login to access into the school portal as in Fig.
But, when she inputs the username and password and the web form is not securely coded as in Fig.
2, hackers can easily gain the data that the user inputs it by using a set of SQL queries as shown in Fig.
So, this is basically how SQL injection works.
Attack which is achieved by the direct hitting is the direct If the database is does not contain any security system, the attack is successful.
If the attackers change to the next attacks that means the attacks are failed.
The meaning of the indirect attack is not directly executed on the objective but the information and data from the objective can be collected through other transitional object for the security system to be The indirect attack is difficult to be track.
For the further types of attacks are passive attack and the active attack.
For Fig 3.
SQL injection query .
Based on .
, there are few ways in preventing SQL injection which is minimizing the privileges, implementation of consistent coding standards and SQL server firewalling.
Decreasing the privileges is by giving priority to security aspects and suitable steps need to be taken during the development stage.
Implementation of consistent coding standards means that the developers need to set some coding policies to ensure that the input validations checks are performed on the server so that it will be more secured.
SQL
firewall is important so that only the trusted clients can be The firewall should reject all the untrusted.
In .
, there are three prevention methodologies stated.
The first method is known as processing inputs.
In order to executes SQL injection, keywords such as AoFROMAo.
AoWHEREAo and AoSELECTAo are used.
So, if the keywords are not accepted in the input fields, this problem can be solved.
The second method is managing permissions which only allow people with the authorization of the database can access the data.
Meanwhile in .
, the vulnerability of SQL injection and they had proposed a framework which is known as AuPhpMinerlAy for SQL injection.
Furthermore, a novel method for detecting SQL injection attack based on removing the SQL queries attributes values.
They had planned a way to remove the attributes of SQL queries.
Nonetheless, this method cannot justify the SQL syntax before detecting the SQL injection.
Besides, in this journal the also explain about Microsoft Azure Machine Language which is a cloud based predictive service that provides a full managed model predictive analytics and Standards is to ensure that our web based application is hard to be hacked.
developers need to set a consistent coding standard especially in the input validation form because the hackers usually breached the security of a web based application from the log in system of the web based Lastly, any SQL server must be firewalled to give access only to the trusted clients.
The firewall will reject any unwanted such as escape sequences, binary data and comment Based on the reviewed papers, the authors never mentioned about Blockchain concept.
as it detect verified nodes that may access web server and database for manipulation based on allowed Internet Protocol (IP) access.
However, those unallowable nodes only do legal transactions without manipulating or injecting database.
It is therefore.
Fig.
shows that the adaption of Blockchain concept to avoid the SQL injection attack where each node requested access another nodeAos database, the node requested is verified by the node who accepted the request.
If not accepted, the request is rejected for security purpose.
The concept will be applied to all nodes.
A node could be a server, computer etcetera on computer system networking.
Client 1 Access Checking Attempts verified Node Protocol Verified Client 2 Not Verified Client n Node Protocol Web Verified Database Fig 4.
Proposed Method for Avoiding SQL Injection based on Blockchain Concept based on .
Web Server Encrypted SQL Result with key Client without decryption key Filteration predictive models.
In .
DUD approach is used to detect SQL injection.
DUD approach is a post generated approach that depends on query classification.
This approach is fully depending on user, which needs to be defined prior to the execution of the algorithm.
This DUD approach is then improved by using SQLI sanitizers to verify the attacks by comparing the run time of SQL statements with the sanitizers.
Moreover, in .
there are more prevention techniques in order to prevent SQL injection attacks such as black box testing.
Black box testing boost the testing system that is infiltrated by the utilization of machine learning approaches.
Besides black box testing, they also proposed proxy filters and intrusion detection system .
Nowadays, the security of a web based application can be breached easily by everybody and anytime especially by Although almost all web based application has their own security system, but not all security system is secured from SQL injection.
So, to ensure the security of the database, detection of SQL injection is very crucial because SQL injection is very popular among hackers nowadays and the security of the database can be breached anytime .
the wording said, prevention is better than cure.
The approach of SQL injection can be categorized as pre-generated and post- generated.
In SQL Injection attacks, these are some of the methods of SQL injection attacks such as Using Unauthorized Queries.
Stored Procedures.
UNION Query and Bypassing Web-based Application.
Firstly, the purpose of hackers use Unauthorized Queries technique is because of they want to know the structure of the table.
They first input the illegal queries to the web based application.
Then, the web based application will detect the error and display the error.
From the errors, hackers can know a little bit about the structure of the table.
After they had known the structure of the table, they can attack the web based application by SQL injection.
Secondly, in Stored Procedures, most of the web based application saved the stored procedures and use it for data transmission.
As the developers, they thought that by saving the stored procedures, it will prevent SQL attacks.
Unfortunately, the stored procedures will make the web based application be more exposed to SQL injection attacks.
Thirdly, for UNION Query.
The objective of the attacker is to obtain the data and information from the database.
This process is successful until there are no DBMS error messages.
Lastly, bypassing Webbased Application.
Breaching the web based application is the common method of attacks used by the hackers.
This method is easy for the hackers as they had bypassed the web application, they just need to input a certain query.
SQL
injection is first applied during 1998 and had cause many problem for the web developers.
Because of these immoral activities by the hackers, the web based application is getting busy to find the solution in order to prevent this SQL injection from happening and cause a lot of problem for them.
As a result from this SQL injection problem, some methods of prevention of SQL injection have been proposed such as Minimizing Privileges.
Implementation of Consistent Coding Standards and SQL Firewalling.
Firstly, in Minimizing Privileges, the developers of a web based application need to put number one priority on their securities.
To avoid such things from happening, it is important to create a low privilege Secondly.
Implementation of Consistent Coding Database Server Client with decryption key Fig 5.
SQL injection query prevention approach Fig.
5 shows the prevention from SQL injection problem There would be two clients with different A red client is without decryption key where as a green is having decryption key for SQL injection result.
A red client may not decrypt the result as not a green client even though he or she has the result.
Therefore, the result is safe
without revealing to unauthorized client as indicated in red
ACKNOWLEDGMENT