International Journal of Progressive Sciences and Technologies

Most technical web applications have been using the SQL standard in recent years. These Web applications transmit a structured query language to the database through SQL. Values are returned from the database using queries or parameters in web applications as per user requests. The results returned are displayed in certain formats to the user or administrator, depending on the programme architecture. However, malicious code entered by the attacker in web applications can be used to exploit SQL queries dynamically created. SQL is injected with the user's malicious code during the process. In other words, it is possible to retrieve the information by inserting malicious SQL commands in areas where data such as window address bars or access controls can be entered. This detail is not freely accessible and proprietary. By incorporating new and related dimensions to the SQL injection situation, the attacker will access other information in the database. Through running any commands on the database server, an attacker may harm the programme or server. An example and review of a SQL injection attack on a web application built on MSSQL-ASP.NET is discussed in this article. In addition, protection precautions and recommendations for solutions against browser-based web apps security vulnerabilities are listed.

SQL, Program, Web, Application, Language, Database

. Tipton, H. F., & Krause, M. (Eds.). (2006). Information Security Management Handbook, Volume 3 (Vol. 3). CRC press.

. Vacca, J. R. (Ed.). (2013). Managing information security. Elsevier.

. Burkhead, R. L. (2014). A phenomenological study of information security incidents experienced by information security professionals providing corporate information security incident management (Doctoral dissertation, Capella University).

. Lyall, F. (2011). International communications: The international telecommunication union and the universal postal union. Ashgate Publishing, Ltd..

. Von Solms, R. (1999). Information security management: why standards are important. Information Management & Computer Security.

. Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

. Rieck, K., & Laskov, P. (2006, July). Detecting unknown network attacks using language models. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 74-90). Springer, Berlin, Heidelberg.

. Halfond, W. G., & Orso, A. (2005, November). AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. In Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering (pp. 174-183).

. Borade, M. R., & Deshpande, N. A. (2013). Extensive Review of SQLIA‘s Detection and Prevention Techniques. International Journal of Emerging Technology and Advanced Engineering, 3(10), 614-626.

. Boyd, S. W., & Keromytis, A. D. (2004, June). SQLrand: Preventing SQL injection attacks. In International Conference on Applied Cryptography and Network Security (pp. 292-302). Springer, Berlin, Heidelberg.

. Halfond, W. G., Viegas, J., & Orso, A. (2006, March). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE international symposium on secure software engineering (Vol. 1, pp. 13-15). IEEE.

. Clarke-Salt, J. (2009). SQL injection attacks and defense. Elsevier.

. Bruchez, R. (2012). Microsoft SQL Server 2012 security cookbook. Packt Publishing Ltd.

. Muthuprasanna, M., Wei, K., & Kothari, S. (2006, September). Eliminating SQL injection attacks-A transparent defense mechanism. In 2006 Eighth IEEE International Symposium on Web Site Evolution (WSE'06) (pp. 22-32). IEEE.

. Wei, K., Muthuprasanna, M., & Kothari, S. (2006, April). Preventing SQL injection attacks in stored procedures. In Australian Software Engineering Conference (ASWEC'06) (pp. 8-pp). IEEE.

. Sadeghian, A., Zamani, M., & Manaf, A. A. (2013, September). A taxonomy of SQL injection detection and prevention techniques. In 2013 international conference on informatics and creative multimedia (pp. 53-56). IEEE.

. Lee, I., Jeong, S., Yeo, S., & Moon, J. (2012). A novel method for SQL injection attack detection based on removing SQL query attribute values. Mathematical and Computer Modelling, 55(1-2), 58-68.

. Newman, R. C. (2006, September). Cybercrime, identity theft, and fraud: practicing safe internet-network security threats and vulnerabilities. In Proceedings of the 3rd annual conference on Information security curriculum development (pp. 68-78).