June 18, 2006
June 18, 2006
June 21, 2006
Computers in Education
11.1145.1 - 11.1145.12
SQL Injection Attacks and Prevention Techniques
Databases introduce a number of unique security requirements for their users and administrators. On one hand, databases are designed to promote open and flexible access to data. On the other hand, it’s this same open access that makes databases vulnerable to many kinds of malicious activity 1. One of the main issues faced by database security professionals is avoiding inference capabilities. Structured Query Language (SQL) injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application. In this report we discuss the different SQL injection attacks and prevention techniques available.
Within the past decade, the growth of the Database industry and the Internet has revolutionized the way many people interact with information. This rapid proliferation and the cost effectiveness of new key technologies are creating large opportunities for developing large-scale distributed applications. These systems are made up of several interacting components, each of which is pretty much well encapsulated. However, this phenomenal growth has also brought about security concerns since some of the data now being made available on the Internet is sensitive. For example eCommerce, the leading Web-based application is projected to exceeding $1 trillion over the next several years. The strong need for information security is attributed to several factors, including the availability of sensitive information stored in corporations and governments databases to the outside world.
Database Access Control Models
Access control models were developed to primarily address the issues of data availability, secrecy, and confidentiality. These models can be classified as either traditional or recent. Traditional access control models are broadly categorized as discretionary access control (DAC) and mandatory access control (MAC) models. Newer models comprise mechanisms such as role- based access control (RBAC) or task-based access control (TBAC). These mechanisms address the security requirements of a wider range of applications.
Discretionary Access Control (DAC) Model
Discretionary access control is based on the concept of access rights (or privileges) to data objects, and mechanisms (such as SQL GRANT and REVOKE statements) for giving subjects such privileges. A privilege allows a subject to access some data object in a certain manner (e.g., reading and writing the data). All the subjects and objects in the system are enumerated and the access authorization rules for each subject and object are specified. Subjects can be users,
Garcia, M. (2006, June), Sql Injection Attacks And Prevention Techniques Paper presented at 2006 Annual Conference & Exposition, Chicago, Illinois. 10.18260/1-2--195
ASEE holds the copyright on this document. It may be read by the public free of charge. Authors may archive their work on personal websites or in institutional repositories with the following citation: © 2006 American Society for Engineering Education. Other scholars may excerpt or quote from these materials with the same citation. When excerpting or quoting from Conference Proceedings, authors should, in addition to noting the ASEE copyright, list all the original authors and their institutions and name the host city of the conference. - Last updated April 1, 2015