Abstracting application-level web security
Proceedings of the 11th international conference on World Wide Web
Web application security assessment by fault injection and behavior monitoring
WWW '03 Proceedings of the 12th international conference on World Wide Web
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Static Checking of Dynamically Generated Queries in Database Applications
Proceedings of the 26th International Conference on Software Engineering
JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications
Proceedings of the 26th International Conference on Software Engineering
Fundamentals of Database Systems, Fourth Edition
Fundamentals of Database Systems, Fourth Edition
SQL DOM: compile time checking of dynamic SQL statements
Proceedings of the 27th international conference on Software engineering
Safe query objects: statically typed objects as remotely executable queries
Proceedings of the 27th international conference on Software engineering
Combining static analysis and runtime monitoring to counter SQL-injection attacks
WODA '05 Proceedings of the third international workshop on Dynamic analysis
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks
SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
Preventing SQL Injection Attacks in Stored Procedures
ASWEC '06 Proceedings of the Australian Software Engineering Conference
Preventing SQL injection attacks using AMNESIA
Proceedings of the 28th international conference on Software engineering
Mechanics of User Identification and Authentication
Mechanics of User Identification and Authentication
Network Security Essentials: Applications and Standards (3rd Edition)
Network Security Essentials: Applications and Standards (3rd Edition)
An Approach for SQL Injection Vulnerability Detection
ITNG '09 Proceedings of the 2009 Sixth International Conference on Information Technology: New Generations
Fundamentals of Relational Database Management Systems
Fundamentals of Relational Database Management Systems
A learning-based approach to the detection of SQL attacks
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Hi-index | 0.00 |
In computer security terminologies, SQL Injection Attacks (SQLIAs) are attacks that pose a security threats to web applications by manipulating, modifying, retrieving or destructing sensitive information underlying database server through web applications. This type of attacks could compromise data confidentiality, integrity and availability of database systems of the online applications. Although many researchers and developers were focusing on preventing this type of attack, and proposing techniques to overcome this problem, those methods either fails in correctly addressing this type of attacks or have some limitation on preventing all types of SQLIAs. In this paper, we present an extensive review of different types of SQLIAs known to date, analyze different types of recently developed defensive mechanisms, and show how each technique could be helpful in preventing or detecting each SQL Injection Attacks type. We also propose a PSIAQOP (Preventing SQL Injection Attacks based on Query Optimization Process), a novel approach that prevents all SQLIAs types. The key idea in this approach is to take advantage from the query optimization process that depends on heuristics rules in preventing the different types of the SQLIAs.