Model based hybrid approach to prevent SQL injection attacks in PHP

Authors:
Kunal Sadalkar;Radhesh Mohandas;Alwyn R. Pais
Affiliations:
Department of Computer Science and Engineering, National Institute of Technology Karnataka, Surathkal, India;Department of Computer Science and Engineering, National Institute of Technology Karnataka, Surathkal, India;Department of Computer Science and Engineering, National Institute of Technology Karnataka, Surathkal, India
Venue:
InfoSecHiComNet'11 Proceedings of the First international conference on Security aspects in information technology
Year:
2011

Citing 8
Cited 0

JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications

Proceedings of the 26th International Conference on Software Engineering
SQL DOM: compile time checking of dynamic SQL statements

Proceedings of the 27th international conference on Software engineering
Safe query objects: statically typed objects as remotely executable queries

Proceedings of the 27th international conference on Software engineering
Combining static analysis and runtime monitoring to counter SQL-injection attacks

WODA '05 Proceedings of the third international workshop on Dynamic analysis
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks

Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks

SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications

Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Precise analysis of string expressions

SAS'03 Proceedings of the 10th international conference on Static analysis

Quantified Score

Hi-index	0.00

Visualization

Abstract

SQL Injection vulnerability is ranked 1st in the OWASP1 top 10 vulnerability list and has resulted in massive attacks on a number of websites in the past few years. Inspite of preventive measures like educating developers about safe coding practices, statistics shows that these vulnerabilities are still dominating the top. Various static and dynamic approaches have been proposed to mitigate this vulnerability. In this paper, we present a hybrid approach to prevent SQL injection attacks in PHP, a popular server side scripting language. This technique is more effective to prevent SQL injection attack in a dynamic web content environment without use of complex string analyzer logic. Initially, we construct a Query model for each hotspot by running the application in safe mode. In the production environment, dynamically generated queries are validated with it. The results and analysis shows the proposed approach is simple and effective to prevent common SQL injection vulnerabilities.