SQL Injection Attacks Discussion

Content type

User Generated

Subject

Computer Science

Type

Discussion

Uploaded By

rnffljevggre

Pages

Rating

SQL full form is structured query language. SQL injection is one of the types for

attacking security of the websites. Generally this method is adopted by a hacker to get

access to the data over other websites. This whole process is done by adding

SQLinjection to the web input. This can also be said as bad code embedded in the user

application or web page . so that hacker has a high chance of using this attack the

malicious data in the database if there is more number of inputs from the user end user

application should reject or limit the inputs per time .

SQL injection is a powerfull attack where users input are carefully modified as SQL

statements into a website form. SQL injection technique used for hacking webpages .

SQL injection is simple technique to access a private data base using injection operation

or in other words by injecting all queries into data base. SQL injection is mainly used to

get an access of the database without permission of the DB( database administrator) in

sql injection the query parameter are 0 or 1 may be combination of other numbers and

strings.( Yao-Wen Huang, Chung-Hung Tsai, Tsung-Po Lin, Shih-Kun Huang, D. T., Sy-Yen

Kuo. 2005)

"More precisely, SQL Injection Attacks(SQLIAs) occurs when an online Web application

receives user input and when it tried to create a database query without validating it

properly” .SQL injection technique is a technique to break application security. Area of

vulnerability is where user input is transferred into of database query. web application

application which probably can execute all application actions supported by GUI - and

this is huge threat to application’s security.

SQL injection is web vulnerability where malicious users input is modified as SQL

statements into a website form. Let’s stay with login form and typical login scheme

where user names and passwords are stored in some database table. This is the most

popular case where the login form entry is validated with database query and the query

result lets application decide whether you are allowed to log in or not.( Chris Anley.

2002)

Database intrusion detection systems are based on signatures of well-known exploits

and traps and honey tokens set in the database one should not expose their database

structures in diagnostic messages. in fact one should not expose actual diagnostic

messages and log them in database or file but to the user just show some information

like ‘error occurred’ and that’s it . most important thing is one should not build their

queries as a string that combines your SQL code with user inputs, instead use value

prepared queries and binding.( S. Raghavan, H. Garcia-Molina. 2001)

Reference:

Yao-Wen Huang, Chung-Hung Tsai, Tsung-Po Lin, Shih-Kun Huang, D. T., Sy-Yen Kuo. 2005. A testing

framework for Web application security assessment

Chris Anley. 2002. Advanced SQL Injection in SQL Server Applications. An NGSSoftware Insight

Security Research (NISR) publication.

http://www.nextgenss.com/papers/advanced_sql_injection.pdf

S. Raghavan, H. Garcia-Molina. 2001. Crawling the Hidden Web

Unformatted Attachment Preview

SQL full form is structured query language. SQL injection is one of the types for attacking security of the websites. Generally this method is adopted by a hacker to get access to the data over other websites. This whole process is done by adding SQLinjection to the web input. This can also be said ...
Purchase document to see full attachment

Tags: SQL SQL injection attacks SQL injection technique hacking web vulnerability