We present a practical protection mechanism against SQL injection attacks. Such attacks target databases that are accessible through a web front-end, and take advantage of flaws in the input validation logic of Web components such as CGI scripts. We apply the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker. Queries injected by the attacker will be caught and terminated by the database parser. We show how to use this technique with the MySQL database using an intermediary proxy that translates the random SQL to its standard language. Our mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems.
The intuition behind such attacks is that pre-defined logical expressions within a pre-defined query can be altered simply by injecting operations that always result in true or false statements. This injection typically occurs through a web form and associated CGI script that does not perform appropriate input validation. These types of injections are not limited strictly to character fields. Similar alterations to the “where” and “having” SQL clauses have been exposed, when the application does not restrict numeric data for numeric fields.
Standard SQL error messages returned by a database can also assist the attacker. In situations where the attacker has no knowledge of the underlying SQL query or the contributing tables, forcing an exception may reveal more details about the table or its field names and types. This technique has been shown to be quite effective in practice.
One solution to the problem is to improve programming techniques. Common practices include escaping single quotes, limiting the input character length, and filtering the exception messages. Despite these suggestions, vulnerabilities continue to surface in web applications, implying the need for a different approach. Another approach is to use the PREPARE statement feature supported by many databases, which allows a client to pre-issue a template SQL query at the beginning of a session; for the actual queries, the client only needs to specify the variables that change. Although the PREPARE feature was introduced as a performance optimization, it can address SQL injection attacks if the same query is issued many times. When the queries are dynamically constructed (e.g., as a result of a page with several options that user may select), this approach does not work as well.
Download pdf SQLrand: Preventing SQL Injection Attacks
Related Searches: target databases, validation logic, random sql, logical expressions, input validation
Categories
Archives
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
Today's Search Terms:
- access 2003 for dummies pdf - xr 250 specs - nav manual 06 nissan roadster - canon printer driver canon download ip 1700 - sony vgn service torrent - mégane - yamaha golf cart repair manuals - mss - free pdf hibernate developer guide with examples - v40 dash processor pdf programming - 2000 ML320 operators manual - peugeot 407 wheel bearing - citroen zx diagrams - audi tt bentley - pfSense: The Definitive Guide pdf - http://iponsel com/ebook/cisco-pix-firewall-command-reference/2007/08/30/ - http://iponsel com/ebook/samsung-sgh-a707-series/2007/08/18/ - http://iponsel com/ebook/ejot-fds-in-the-body-in-white-of-the-audi-tt-pdf/2007/12/05/ - http://iponsel com/ebook/dell-printers/2007/09/01/ - http://iponsel com/ebook/mazda-miata-mx-5-1999-service-manual/2007/11/05/ - http://iponsel com/ebook/dell-laser-printer-1710-1710n/2007/09/01/ - http://iponsel com/ebook/dell-color-laser-printer-5110cn/2007/09/01/ - clio speed sensor diagram - applikasi nokia 7610 free - tutorials virtools - airbag clio serv - 2009 honda cbr600rr manual pdf - owners manual for gmc 2008 envoy - harry potter the chamber of secrets pc torrent - hyundai accent service manual downloadMost Popular
- iPod shuffle User's Guide (Manual)
- Renault Workshop Repair Manual PDF
- VolksWagen Golf and Jetta Routine Maintenance and Servicing Manual
- VolksWagen Golf & Jetta Service and Repair Manual
- Volkswagen Beetle Manual PDF
- Hacking the XBOX 360 for Noobs Tutorial
- VW Golf and Jetta Braking System PDF Manual
- Renault Workshop Repair Manual PDF
- VolksWagen Golf III / Jetta III Wiring Diagram Manual
- Renault All Types Service Manual PDF
Random Posts
- Label Gallery ActiveX and DDE Programming Guide
- Metastock Professional 8.0 User Manual
- D-Link DMI-128ESU+ ISDN Terminal Adapter (TA) Users Manual
- 2000 Pontiac Firebird Owner’s Manual PDF
- How to Use the New Internet for Business Development
- Portable Hi-fi Speaker for iPod pdf
- Praxis Script Programming Guide
- ActionScript 3.0 Cookbook Ch.I
- C# is a functional programming language
- SAP Help Guide: Time Zones Tutorial
Free Ebook Manual Download is proudly powered by WordPress - BloggingPro theme by: Design Disease
RSS feed for comments on this post · TrackBack URI
Leave a reply