Dissertation Title: SQL Injection attacks and how to
prevent them
, Abstract
This dissertation introduces different kind of injection techniques, explores them and
proposes prevention techniques as well.
At present, web applications have been used for most of our activities in our life. Web
applications are affected by the attacks of SQL injection. SQL injection is a prevalent
technique that attackers appoint to impose the database in the most of web applications, by
manipulate the SQL queries that send to RDBMS. Hence, change the behaviour of the
application.
Databases are a large warehouse of the software industry where all the data of the experts and
users are stored. Cloud databases are large databases where there is access to unlimited
storage space. A sequential query language is a language that is used to write and pass
queries in the database. SQL injection is the threat of the virus generated by the external
agents to harm the system. SQL injection is most effective with queries. Prevention
techniques have been introduced in this dissertation from the threats generated by the SQL
injection. This dissertation gives a brief about the SQL injection threats and prevention
techniques.
2
,Table of Contents
Abstract.............................................................................................................................2
Table of figures..................................................................................................................4
1. Introduction...................................................................................................................6
1.1 Motivation...................................................................................................................8
1.2 Research aim and requirements...................................................................................9
1.3. Previous findings.......................................................................................................11
1.4. Dissertation structure................................................................................................12
2. Literature review..........................................................................................................13
2.1. Research methodology..............................................................................................16
2.2. SQL Injection Attacks.................................................................................................19
2.3. Types of SQL Injection attacks...................................................................................19
3. Practical work..............................................................................................................24
3.1. Practical examples of SQL attacks and its prevention.................................................25
The above query, when used in code will not return any information about the question
and ask for complete details. Even after the hacker tries to purchase the user ID and
password. The attack is identified by the code, and the account is secured.......................28
3.2. Theoretical implication..............................................................................................28
3.3. Prevention techniques...............................................................................................29
4. Implementation of practical work.................................................................................31
4.1. SQL Injection Attack demo 1:.....................................................................................31
4.2. SQL Injection attack demo 2:.....................................................................................39
4.3. SQL Injection attack demo 3:.....................................................................................47
4.4. SQL Injection Attack demo 4:.....................................................................................48
5. Results, analysis and evaluation...................................................................................63
Conclusion........................................................................................................................67
Recommendations...........................................................................................................67
References.......................................................................................................................68
APPENDIX A: Ethical Approval..........................................................................................71
Appendix B: Gantt Chart for the dissertation....................................................................85
3
, Table of figures
Figure 1.1. SQL injection attack process...................................................................................9
Figure 2: SQL injection attack.................................................................................................12
Figure 3: SQL Injection, Detection and Preventions...............................................................15
Figure 4....................................................................................................................................25
Figure 5....................................................................................................................................26
Figure 6....................................................................................................................................26
Figure 7....................................................................................................................................27
Figure 8....................................................................................................................................27
Figure 9....................................................................................................................................28
Figure 10..................................................................................................................................28
Figure 11: Acunetix..................................................................................................................31
Figure 12: When we use “2” it will display other data............................................................32
Figure 13: Fetch Array.............................................................................................................32
Figure 14: Error reflects after the query we got.......................................................................33
Figure 15: Reflect the Database name......................................................................................34
Figure 16: Reflecting the version of database running.............................................................34
Figure 17: Reflecting system user data....................................................................................35
Figure 18: Fetch the table name at 1 row value.......................................................................35
Figure 19: Collecting the full table name at once....................................................................36
Figure 20: Fetching the user table information........................................................................36
Figure 21: Getting the password from user table.....................................................................37
Figure 22: Fetching the credit card information.......................................................................38
Figure 23: Fetching the mail id data.........................................................................................38
Figure 24..................................................................................................................................39
Figure 25: Locating URL.........................................................................................................40
Figure 26..................................................................................................................................40
Figure 27..................................................................................................................................41
Figure 28..................................................................................................................................42
4
prevent them
, Abstract
This dissertation introduces different kind of injection techniques, explores them and
proposes prevention techniques as well.
At present, web applications have been used for most of our activities in our life. Web
applications are affected by the attacks of SQL injection. SQL injection is a prevalent
technique that attackers appoint to impose the database in the most of web applications, by
manipulate the SQL queries that send to RDBMS. Hence, change the behaviour of the
application.
Databases are a large warehouse of the software industry where all the data of the experts and
users are stored. Cloud databases are large databases where there is access to unlimited
storage space. A sequential query language is a language that is used to write and pass
queries in the database. SQL injection is the threat of the virus generated by the external
agents to harm the system. SQL injection is most effective with queries. Prevention
techniques have been introduced in this dissertation from the threats generated by the SQL
injection. This dissertation gives a brief about the SQL injection threats and prevention
techniques.
2
,Table of Contents
Abstract.............................................................................................................................2
Table of figures..................................................................................................................4
1. Introduction...................................................................................................................6
1.1 Motivation...................................................................................................................8
1.2 Research aim and requirements...................................................................................9
1.3. Previous findings.......................................................................................................11
1.4. Dissertation structure................................................................................................12
2. Literature review..........................................................................................................13
2.1. Research methodology..............................................................................................16
2.2. SQL Injection Attacks.................................................................................................19
2.3. Types of SQL Injection attacks...................................................................................19
3. Practical work..............................................................................................................24
3.1. Practical examples of SQL attacks and its prevention.................................................25
The above query, when used in code will not return any information about the question
and ask for complete details. Even after the hacker tries to purchase the user ID and
password. The attack is identified by the code, and the account is secured.......................28
3.2. Theoretical implication..............................................................................................28
3.3. Prevention techniques...............................................................................................29
4. Implementation of practical work.................................................................................31
4.1. SQL Injection Attack demo 1:.....................................................................................31
4.2. SQL Injection attack demo 2:.....................................................................................39
4.3. SQL Injection attack demo 3:.....................................................................................47
4.4. SQL Injection Attack demo 4:.....................................................................................48
5. Results, analysis and evaluation...................................................................................63
Conclusion........................................................................................................................67
Recommendations...........................................................................................................67
References.......................................................................................................................68
APPENDIX A: Ethical Approval..........................................................................................71
Appendix B: Gantt Chart for the dissertation....................................................................85
3
, Table of figures
Figure 1.1. SQL injection attack process...................................................................................9
Figure 2: SQL injection attack.................................................................................................12
Figure 3: SQL Injection, Detection and Preventions...............................................................15
Figure 4....................................................................................................................................25
Figure 5....................................................................................................................................26
Figure 6....................................................................................................................................26
Figure 7....................................................................................................................................27
Figure 8....................................................................................................................................27
Figure 9....................................................................................................................................28
Figure 10..................................................................................................................................28
Figure 11: Acunetix..................................................................................................................31
Figure 12: When we use “2” it will display other data............................................................32
Figure 13: Fetch Array.............................................................................................................32
Figure 14: Error reflects after the query we got.......................................................................33
Figure 15: Reflect the Database name......................................................................................34
Figure 16: Reflecting the version of database running.............................................................34
Figure 17: Reflecting system user data....................................................................................35
Figure 18: Fetch the table name at 1 row value.......................................................................35
Figure 19: Collecting the full table name at once....................................................................36
Figure 20: Fetching the user table information........................................................................36
Figure 21: Getting the password from user table.....................................................................37
Figure 22: Fetching the credit card information.......................................................................38
Figure 23: Fetching the mail id data.........................................................................................38
Figure 24..................................................................................................................................39
Figure 25: Locating URL.........................................................................................................40
Figure 26..................................................................................................................................40
Figure 27..................................................................................................................................41
Figure 28..................................................................................................................................42
4
