VOL 2 (2018) NO 3 - 2
e-ISSN : 2549-9904
ISSN : 2549-9610
INTERNATIONAL JOURNAL ON INFORMATICS VISUALIZATION
Review of SQL Injection : Problems and Prevention
Mohd Amin Mohd Yunus#, Muhammad Zainulariff Brohan#, Nazri Mohd Nawi #, Ely Salwana Mat
Surin*, Nurhakimah Azwani Md Najib#, Chan Wei Liang#
#
Faculty of Science Computer and Information Technology, Universiti Tun Hussein Onn Malaysia, Malaysia
*Institute of Visual Informatic, Universiti Kebangsaaan Malaysia
E-mail: aminy@uthm.edu.my, zainulariff96@gmail.com, nazri@uthm.edu.my, elysalwana@ukm.edu.my, nurhakimahazwani95@gmail.com,
weiliang246@gmail.com
Abstract— SQL injection happened in electronic records in database and it is still exist even after two decades since it
first happened. Most of the web-based applications are still vulnerable to the SQL injection attacks. Although
technology had improved a lot during these past years, but, hackers still can find holes to perform the SQL injection.
There are many methods for this SQL injection to be performed by the hackers and there is also plenty of prevention for
the SQL injection to be happened. The vulnerability to SQL injection is very big and this is definitely a huge threat to
the web based application as the hackers can easily hacked their system and obtains any data and information that they
wanted anytime and anywhere. This paper can conclude that several proposed techniques from existing journal papers
used for preventing SQL injection. Then, it comes out with Blockchain concept to prevent SQL injection attacks on
database management system (DBMS) via IP.
Keywords— Database, DBMS, SQL Injection
Besides that, there is another vulnerability which is root
I. INTRODUCTION privilege escalation bug. This bug works with the previous
SQL is the short form of Structured Query Language. The vulnerability. Since the previous bug the attackers gain the
usage of SQL is to interact with a database and it can privilege to access to the server and get upgrade user to
manipulate the data which is stored in the database. Database administrator, the attacker can change a certain system file to
normally contains data definition language and data a random file. Due to the present bug, it will cause the tied to
manipulation language for allowing result retrieval. an unsafe file. That’s why, the attack can change the file
Meanwhile, Injection is an action of injecting something into easily because the bug is open a backdoor for the attacker to
an organism. SQL injection is a technique for hackers to alter the file.
execute malicious SQL queries on the database server. It can Normally, the most common attack that will happen and
be executed over a web-based application to access over the threat the database system is the login system. For the login
databases that contain sensitive information. According to page, most of the attack will try using brute force with mean
National Security Agency (NSA), SQL injection is the most that guessing the password by trying every possibility like
typically ways used by hackers, even the famous database dictionary attack is consider as a type of brute force. Another
organization MYSQL was hacked by this techniques on attack is very common and use widely for attackers which is
electronic records [11],[12]. There is some vulnerability that SQL injection. SQL injection is putting '1' OR '1' = '1' into
will cause data leakage in MySQL because of the attackers username and password. If the system does not have any SQL
accessing to the database and exposure the information or injection prevention, if the attacker enter this code inside, the
alter it. One of the vulnerability of it is privilege escalation or attacker can access to the system will authorization [1]-[4].
called it race condition bug. This bug allows the local system The bad consequences of this SQL injection is hacker can
users access to the database and upgrade their privileges like gain access on the database information easily. However, this
change their id to 1 which can be an admin and alter or SQL Injection can be prevented by few ways. The first
execute the information as their like. This will give an approach is by using the SQL Injection Sanitizers which is
opportunity to an attacker access to the entire database server. used in the Directory of Useful Decoy (DUD) to detect the
The attacker might get fully compromise the target server. intervention in the web based application. For the second
215
�approach, firewall should be provided for the SQL server. In II. THE MATERIAL AND METHOD / ALGORITHM
completing this review paper, thirteen interesting journal The definition of the literature is the report of the
papers regarding SQL injection were reviewed information which is evaluative that found in the literature
comprehensively. Study by [1], they define SQL injection as relevant to our elected area of the study. The review should be
the method for hackers executes malicious SQL queries on the specify, summarize, classify and interpret the literature. The
database server via a web based application. They also explain review should provide the theoretical, analytical base for the
about the strategy on how to fight SQL injection in the journal research. Database is depository of the most significant and
and the solution in fighting SQL injection. In [2], they valuable data and information in the company. In the database
explained about how SQL injection works and the defensive there different of security layers which is the security officers,
mechanism against these threats. As for the studies in [3] and system administrator, database administrator, the employees
[4], they explained about how to prevent SQL Injection on and the developers. The attacker can crack this security layers.
Server-Side Scripting and how to detect SQL injection attack Some reviewed papers were studied for avoiding the attacker
respectively. In [5], they explained also about the prevention can crack this security layers in Table I.
of SQL injection.
Database is a set of data and information which is TABLE I
METHODS COMPARISON BASED ON EACH AUTHORS
organized so that it can be accessed, easily, handle and
updated. The data is organized into rows, column and tables Reference Author Method Drawback
and it is indexed to make it accessible to find the related data Number
and information. The data will get updated, enlarge and [1] S. Nanhay, D. Minimize the It does not
deleted as new data and information is added. Databases Mohit, R.S. privileges, have node to
Raw, and K. Implementation node verified
process workloads to create and update itself, inquiry the data
Suresh of consistent signature
they contain and running the application against it. With the coding
increase in usage of the database, the regularity of attacks standards and
against those databases also increased. Data crack are threats SQL server
to every organization. Crack damage goes beyond the actual firewalling
loss of sensitive and personal information. The risk of [2] K.G. Vamshi, Processing It does not
sensitive organizations must always step ahead in their V. Trinadh, S. input, have node to
database security to protect and secure their data and Soundabaya, Sp_executesql node verified
information from the attackers. Database attacks are and A. Omar replace with signature
increasing trends nowadays. One of the reasons is the QUOTENAME
, Managing
increment of accessing the data and information which is
Permissions,
stored in databases. When the data had been accessed by a lot Tools to detect
of anonymous people, the chances of the data threats is SQL injection
increases. Furthermore, the database attacks are to make a lot queries
of money by selling the sensitive information such as credit [3] K. Krit and S. SQL injection It does not
card numbers in illegal ways. Based on my first journal [6], Chitsutha commands have node to
the journal explained about the lack awareness regarding the datasets node verified
database security which can lead to a lot of database threats extraction, pre- signature
such loss of the integrity, confidentiality and availability of processing,
machine
the data and information of the companies and etc. From the
learning model
[7], to reduce the percentage of database threats, this journal analysis for
has proposed some techniques to overcome this problem such SQL injection
as improving the existing security system of the database. prediction and
Furthermore, in [8], the journal discussed about a detection detection,
system which is anomaly detection (AD) to detect any insiders testing and
attacks of the database which is far more dangerous from the training,
outsider attacks. Moreover, from [9], there are various [4] P.K. Raja and Entirely It does not
categories of attacker such as intruder, insider, and Z. Bing, dependent on have node to
administrator. Besides, the journal also discuss about the type user-defined node verified
approach signature
of attacks which is direct attacks, indirect attacks, passive (DUD)
attack and active attack. From the last journal [10], it is Threshold value
discussed about the database security threats in mobile and [5] D. Rhythm and Filtering It does not
how overcome this problem. In the database system it is G. Himanshu sending and have node to
compulsory to have support. The security of the database receiving node verified
system in mobile is much more important. Thus, next section mechanism signature
discusses material and method or algorithm for comparing [6] A.A. Nedhal Web It does not
methods according to each author. Then, result and discussion. and A. Dana application have node to
Last section is conclusion for summarizing this paper. firewall node verified
signature
216
� [7] A.S. Aditya Security check It does not passive attack, clear text passwords and important data and
and P.N Chatur model based on have node to information which can be used in other types of attack and it
safety rule base node verified is also unencrypted traffic to be guide. It is also display of
signature information and data to the attackers beyond the permissions
[8] S.P. Ganesh Access control, It does not
of the users. The active attack is the attackers had performed
and G. inference have node to
Anandhi policy, user node verified
many attempts to breach the secured system to get the
identification signature information and data which is stored in the database. The
and attack can be completed through many ways such as viruses,
authentication, worm, stealth and others. The information can be
accountability accomplished in electronically attack illegal beyond user
and auditing, knowledge.
encryption
consideration
[9] Parviz security It does not
Ghorbanzadeh, products such have node to
Aytak as firewalls, node verified
Shaddeli, virtual private signature
Roghieh networks
Malekzadeh, (VPNs) and
Zoleikha intrusion Fig 1. Login form
Jahanbakhsh, detection and
prevention
(IDP) systems
[10] Asmaa Sallam, Role-Based It does not
Qian Xiao, Anomaly have node to
Daren Detection node verified
Fadolalkarim, approach signature
Elisa Bertino
Fig 2. HTML codes for the input fields [2]
Based on [9], the attackers can be divided in some
categories which are intruder, insider and administrator. The
meaning of an intruder is an anonymous people that have no
rule to accessing a computer system in an illegal way and to
get some rare data and information that stored in the database. Fig 3. SQL injection query [2]
For the insider is not an empower people but a representative
of group of trusted users and cause the violet empower people Based on [1], there are few ways in preventing SQL
privileges and tried to get the data and information without injection which is minimizing the privileges, implementation
user’s own access permissions. An authorize people that has of consistent coding standards and SQL server firewalling.
fully domination over the computer system, but he uses Decreasing the privileges is by giving priority to security
privileges of administration in illegal way to get the aspects and suitable steps need to be taken during the
information of the system is an administrator. Besides in [9] development stage. Implementation of consistent coding
also discuss about the different types of attacks which is direct standards means that the developers need to set some coding
attacks, indirect attacks, passive attack and active attack. Most policies to ensure that the input validations checks are
of the web based applications belongs to organization, performed on the server so that it will be more secured. SQL
universities, schools and others. Commonly, all these web firewall is important so that only the trusted clients can be
based application provide a form for the users to login into the contacted. The firewall should reject all the untrusted. In [2],
application. The data which the users input can easily be there are three prevention methodologies stated. The first
exploited through SQL injection. For example, when a teacher method is known as processing inputs. In order to executes
wants to login the school portal she first need to login to SQL injection, keywords such as ‘FROM’, ‘WHERE’ and
access into the school portal as in Fig. 1. But, when she inputs ‘SELECT’ are used. So, if the keywords are not accepted in
the username and password and the web form is not securely the input fields, this problem can be solved. The second
coded as in Fig. 2, hackers can easily gain the data that the method is managing permissions which only allow people
user inputs it by using a set of SQL queries as shown in Fig. 3. with the authorization of the database can access the data.
So, this is basically how SQL injection works. Meanwhile in [3], the vulnerability of SQL injection and they
Attack which is achieved by the direct hitting is the direct had proposed a framework which is known as “PhpMinerl”
attack. If the database is does not contain any security system, for SQL injection. Furthermore, a novel method for detecting
the attack is successful. If the attackers change to the next SQL injection attack based on removing the SQL queries
attacks that means the attacks are failed. The meaning of the attributes values. They had planned a way to remove the
indirect attack is not directly executed on the objective but the attributes of SQL queries. Nonetheless, this method cannot
information and data from the objective can be collected justify the SQL syntax before detecting the SQL injection.
through other transitional object for the security system to be Besides, in this journal the also explain about Microsoft Azure
trick. The indirect attack is difficult to be track. For the further Machine Language which is a cloud based predictive service
types of attacks are passive attack and the active attack. For that provides a full managed model predictive analytics and
217
�predictive models. In [4], DUD approach is used to detect Standards is to ensure that our web based application is hard
SQL injection. DUD approach is a post generated approach to be hacked; developers need to set a consistent coding
that depends on query classification. This approach is fully standard especially in the input validation form because the
depending on user, which needs to be defined prior to the hackers usually breached the security of a web based
execution of the algorithm. This DUD approach is then application from the log in system of the web based
improved by using SQLI sanitizers to verify the attacks by application. Lastly, any SQL server must be firewalled to give
comparing the run time of SQL statements with the sanitizers. access only to the trusted clients. The firewall will reject any
Moreover, in [5] there are more prevention techniques in order unwanted such as escape sequences, binary data and comment
to prevent SQL injection attacks such as black box testing. characters.
Black box testing boost the testing system that is infiltrated by Based on the reviewed papers, the authors never mentioned
the utilization of machine learning approaches. Besides black about Blockchain concept[16] as it detect verified nodes that
box testing, they also proposed proxy filters and intrusion may access web server and database for manipulation based
detection system [6]-[9]. on allowed Internet Protocol (IP) access. However, those
Nowadays, the security of a web based application can be unallowable nodes only do legal transactions without
breached easily by everybody and anytime especially by manipulating or injecting database. It is therefore, Fig. 4
hackers. Although almost all web based application has their shows that the adaption of Blockchain concept to avoid the
own security system, but not all security system is secured SQL injection attack where each node requested access
from SQL injection. So, to ensure the security of the database, another node’s database, the node requested is verified by the
detection of SQL injection is very crucial because SQL node who accepted the request. If not accepted, the request is
injection is very popular among hackers nowadays and the rejected for security purpose. The concept will be applied to
security of the database can be breached anytime [13]-[15]. As all nodes. A node could be a server, computer etcetera on
the wording said, prevention is better than cure. The approach computer system networking.
of SQL injection can be categorized as pre-generated and
post- generated.
In SQL Injection attacks, these are some of the methods of
SQL injection attacks such as Using Unauthorized Queries,
Client 1
Stored Procedures, UNION Query and Bypassing Web-based
Application. Firstly, the purpose of hackers use Unauthorized
Access Checking
Queries technique is because of they want to know the
structure of the table. They first input the illegal queries to the
web based application. Then, the web based application will Attempts verified
detect the error and display the error. From the errors, hackers Node
can know a little bit about the structure of the table. After they
had known the structure of the table, they can attack the web
Client 2 Protocol Verified Web Verified Database
based application by SQL injection. Secondly, in Stored for
Procedures, most of the web based application saved the accessing
stored procedures and use it for data transmission. As the
developers, they thought that by saving the stored procedures, database
it will prevent SQL attacks. Unfortunately, the stored Not
procedures will make the web based application be more Verified
exposed to SQL injection attacks. Thirdly, for UNION Query,
The objective of the attacker is to obtain the data and
Client n Node
information from the database. This process is successful until Protocol
there are no DBMS error messages. Lastly, bypassing Web- Fig 4. Proposed Method for Avoiding SQL Injection based on Blockchain
based Application, Breaching the web based application is the Concept based on [16]
common method of attacks used by the hackers. This method
is easy for the hackers as they had bypassed the web
Client without
application, they just need to input a certain query. SQL decryption key
injection is first applied during 1998 and had cause many
problem for the web developers. Because of these immoral
Result with key
Encrypted SQL
activities by the hackers, the web based application is getting
Filteration
busy to find the solution in order to prevent this SQL injection Database
Web Server
from happening and cause a lot of problem for them. Server
As a result from this SQL injection problem, some methods
of prevention of SQL injection have been proposed such as
Minimizing Privileges, Implementation of Consistent Coding
Client with
Standards and SQL Firewalling. Firstly, in Minimizing decryption key
Privileges, the developers of a web based application need to
put number one priority on their securities. To avoid such Fig 5. SQL injection query prevention approach
things from happening, it is important to create a low privilege
account. Secondly, Implementation of Consistent Coding
218
� Fig. 5 shows the prevention from SQL injection problem ACKNOWLEDGMENT
happening. There would be two clients with different This project is indirectly sponsored also by Universiti Tun
permission. A red client is without decryption key where as a Hussein Onn Malaysia. This research also supported by
green is having decryption key for SQL injection result. A red Research GATES IT Solution Sdn. Bhd. under its publication
client may not decrypt the result as not a green client even scheme.
though he or she has the result. Therefore, the result is safe
without revealing to unauthorized client as indicated in red REFERENCES
colour.
[1] S. Nanhay, D. Mohit, R.S. Raw, and K. Suresh, “SQL Injection: Types,
Methodology, Attack Queries and Prevention”, in 3rd International
III. RESULTS AND DISCUSSION Conference on Computing for Sustainable Global Development
(INDIACom), 2016, p. 2872 – 2876.
In this study, SQL injection is one of the most serious cases [2] K.G. Vamshi, V. Trinadh, S. Soundabaya, and A. Omar, “Advanced
about data stealing from the database which associate with a Automated SQL Injection Attacks and Defensive Mechanisms”, in
web based application. This SQL injection is frequently Annual Connecticut Conference on Industrial Electronics, Technology
happen because of the vulnerability of the web based & Automation (CT-IETA), 2016, p. 1-6.
[3] K. Krit and S. Chitsutha, “Machine Learning for SQL Injection
application and the lack of awareness regarding the security of Prevention on Server- Side Scripting”, in International Computer
the database. There are a lot of ways for the SQL injection to Science and Engineering Conference (ICSEC), 2016, p. 1-6.
be performed by the hackers outside there. So, to prevent this [4] P.K. Raja and Z. Bing, “Enhanced Approach to Detection of SQL
from happening, as a developer of a web based application, Injection Attack”, in 15th IEEE International Conference on Machine
Learning and Applications (ICMLA), 2016, p. 466 – 469.
Blockchain [16] must be put an important priority to the [5] D. Rhythm and G. Himanshu, “SQL Filtering: An Effective Technique
security of web based application to ensure that all of the data to prevent SQL Injection Attack”, in International Conference on
in the database is kept safe and sound. The security of the web Reliability, Infocom Technologies and Optimization (Trends and
based application should be tested to check the either the Future Directions) (ICRITO), 2016, p. 312 – 317.
[6] A.A. Nedhal and A. Dana, “Database Security Threats: A Survey
security is vulnerable to SQL injection or not. This is to Study”, in 5th International Conference on Computer Science and
ensure that nobody can breach into the security of the database Information Technology, 2013, p. 60 – 64.
of the web based application. Based on my research, I had [7] A.S. Aditya and P.N Chatur, “Efficient and Effective Security Model
found that there are so many types of the database security for Database Specially Designed to Avoid Internal Threats”, in
International Conference on Smart Technologies and Management for
threats which include insiders attack, internal attack, and Computing, Communication, Controls, Energy and Materials (ICSTM),
external attack etcetera. But when there is a problem, there 2015, p. 165 – 167.
will be a solution. Same cases with threats in database security, [8] S.P. Ganesh and G. Anandhi, “Database Security: A Study on Threats
there are a lot of problems occurs and in the same time, there And Attacks”, International Journal on Recent and Innovation Trends
in Computing and Communication, vol. 4(6), pp. 512-513, 2015.
are also have some solutions for the problem such as access [9] Parviz Ghorbanzadeh, Aytak Shaddeli, Roghieh Malekzadeh, Zoleikha
control, inference policy, user authentication, data encrypted Jahanbakhsh, “ A Survey of Mobile Database Security Threats and
etcetera. Solutions for it”, in the 3rd International Conference on Information
Sciences and Interaction Sciences, 2007, p. 676 – 682.
[10] Asmaa Sallam, Qian Xiao, Daren Fadolalkarim, Elisa Bertino,
“Anomaly Detection Techniques for Database Protection Against
IV. CONCLUSIONS Insider Threats”, in 17th International Conference on Information
Reuse and Integration (IRI), 2016, p. 20 – 29.
Precisely, the main objective of this research is to study [11] L. Zhang, C. Tan, and F. Yu, “An Improved Rainbow Table Attack for
more about the techniques for hackers to execute malicious Long Passwords,” Procedia Computer Science, vol. 107, pp. 47–52.
SQL queries on the database server which is called SQL 2017.
injection. It is the most popular technique among the hackers [12] Deniz Gurkan and Fatima Merchant “Interoperable Medical Instrument
Networking and Access System with Security Considerations for
to gain data and information about something that is stored in Critical Care”, Journal of Healthcare Engineering, vol. 1(4), pp. 637-
a database of a web based application. The major objective of 654, 2010.
this research is to figure out about what is the database threats [13] M. A. Halcrow and N. Ferguson, “A Second Pre-image Attack Against
which is define as an immoral activity which is performed by Elliptic Curve Only Hash (ECOH),” in IACR Cryptol. ePrint Arch., vol.
2009, p. 168, 2009.
some hackers to steal the data and information in illegal ways. [14] A.K. Kyaw, F. Sioquim, and J. Joseph, “Dictionary attack on
The second objective is about the example of database threats Wordpress: Security and forensic analysis,” in 2015 2nd International
such as excessive privilege abuse, legitimate privileges abuse, Conference on Information Security and Cyber Forensics, InfoSec
privileges elevation and the platform vulnerabilities and how 2015, 2016, p. 158–164.
[15] F. Mouton, M. M. Malan, L. Leenen, and H. S. Venter, “Social
to overcome this problem. Thus, Blockchain concept is engineering attack framework,” in Proceedings of the ISSA, 2014.
introduced for overcoming the SQL injection via Nodes [16] Hilarie Orman, “Blockchain: the Emperors New PKI?”, IEEE Internet
Verfication with IP. For the future work, SQL injection Computing, vol. 22(2), pp. 23-28, 2018.
prevention will be executed using Blockchain and Augmented
Reality (AR). It might be an approach to view SQL injection
attempts using AR that improve the potential injection attack.
219
