Secure Query Processing by Blocking SQL Injection

Abstract

With the rise of the Internet, web applications, such as online banking and web-based email the web services as an instant means of information dissemination and various other transactions has essentially made them a key component of today‟s Internet infrastructure. Web-based systems consist of both infrastructure components and of application specific code. But there are many reports on intrusion from external hacker which compromised the back end database system, so we introduce briefly the key concepts and problems of information security and we present the major role that SQL Injection is playing in this scenario. SQL-Injection Attacks are a class of attacks that many of these systems are highly vulnerable to, and there is no known fool-proof defense against such attacks. Based on the above analysis and on today's computer security state-of-the-art, we focus our research specifically on the SQLIAs, which are still one of the most exploited and dangerous intrusion techniques used to access web applications.
In this thesis, we propose a technique, which uses runtime validation to detect the occurrence of such attacks, which evaluation methodology is general and adaptable to any existing system. The most available solution of that problem either requires source code modification, which is an overhead to an existing system as well as which can increase the possibilities of new injection points, or required a computational overhead at run time which increase the minimum response time, as well as most of them are not taking the advantage of the modern age processor architecture. To overcome these problems of existing solutions we use link representations which store the valid query structures in terms of an orders sequence of tokens. To perform fast searching among these various lists we start searching in a multithreaded way. To avoid the huge computation over head of string matching algorithm to match two tokens we convert each token into an integer value and store that integer value instead of that token in our database and while searching we simple match these integer values. For finding the correct group of list we use an array representation which eliminates the need of searching the specific group. Even for minimizing the response time we use a hit count method to predict the possible list for searching the incoming query structure. So in a brief this technique eliminates the need of source code modification along with an improved overall efficiency.