Paper Authors

Abstract

NOTE: The first page of text has been automatically extracted and included below in lieu of an abstract

SQL Injection Attacks and Prevention Techniques

Abstract

Databases introduce a number of unique security requirements for their users and administrators. On one hand, databases are designed to promote open and flexible access to data. On the other hand, it’s this same open access that makes databases vulnerable to many kinds of malicious activity 1. One of the main issues faced by database security professionals is avoiding inference capabilities. Structured Query Language (SQL) injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application. In this report we discuss the different SQL injection attacks and prevention techniques available.

Introduction

Within the past decade, the growth of the Database industry and the Internet has revolutionized the way many people interact with information. This rapid proliferation and the cost effectiveness of new key technologies are creating large opportunities for developing large-scale distributed applications. These systems are made up of several interacting components, each of which is pretty much well encapsulated. However, this phenomenal growth has also brought about security concerns since some of the data now being made available on the Internet is sensitive. For example eCommerce, the leading Web-based application is projected to exceeding $1 trillion over the next several years. The strong need for information security is attributed to several factors, including the availability of sensitive information stored in corporations and governments databases to the outside world.

Database Access Control Models

Access control models were developed to primarily address the issues of data availability, secrecy, and confidentiality. These models can be classified as either traditional or recent. Traditional access control models are broadly categorized as discretionary access control (DAC) and mandatory access control (MAC) models. Newer models comprise mechanisms such as role- based access control (RBAC) or task-based access control (TBAC). These mechanisms address the security requirements of a wider range of applications.

Discretionary Access Control (DAC) Model

Discretionary access control is based on the concept of access rights (or privileges) to data objects, and mechanisms (such as SQL GRANT and REVOKE statements) for giving subjects such privileges. A privilege allows a subject to access some data object in a certain manner (e.g., reading and writing the data). All the subjects and objects in the system are enumerated and the access authorization rules for each subject and object are specified. Subjects can be users,

• Citation

• Format
  • APA
  • APA - LaTeX bibitem
  • MLA
  • MLA - LaTeX bibitem
  • Bibtex
  • EndNote - RIS

Garcia, M. (2006, June), Sql Injection Attacks And Prevention Techniques Paper presented at 2006 Annual Conference & Exposition, Chicago, Illinois. 10.18260/1-2--195