Abstract | ||
---|---|---|
SQL injection attacks involve the construction of application input data that will result in the execution of malicious SQL statements. Many web applications are prone to SQL injection attacks. This paper proposes a novel methodology of preventing this kind of attacks by placing a secure database driver between the application and its underlying relational database management system. To detect an attack, the driver uses stripped-down SQL queries and stack traces to create SQL statement signatures that are then used to distinguish between injected and legitimate queries. The driver depends neither on the application nor on the RDBMS and can be easily retrofitted to any system. We have developed a tool, SDriver, that implements our technique and used it on several web applications with positive results. |
Year | DOI | Venue |
---|---|---|
2009 | 10.1016/j.cose.2008.09.005 | Computers and Security |
Keywords | Field | DocType |
firewall,sqlia,sql injection attack,jdbc driver,web security,relational database management system | SQL,Stored procedure,Computer security,Language Integrated Query,Computer science,Data Transformation Services,Query by Example,Autocommit,User-defined function,SQL injection,Database | Journal |
Volume | Issue | ISSN |
28 | 3-4 | Computers & Security |
Citations | PageRank | References |
9 | 0.48 | 23 |
Authors | ||
2 |
Name | Order | Citations | PageRank |
---|---|---|---|
Dimitris Mitropoulos | 1 | 90 | 15.14 |
Diomidis Spinellis | 2 | 2023 | 178.89 |