| Following the severity of SQL Injection attacks, researchers have proposed many solutions to this problem; unfortunately most of proposed solutions do not fully address the problem of SQL Injection attacks from their roots and therefore are doubtful about their performance. One of the cornerstone principles in relational theory is selection. Selection is actualized using the WHERE clause of the SELECT statement. Conditions that restrict the dataset returned take many forms and operate on columns as well as expressions. Only those rows in a table that conform to these conditions are returned. The WHERE clause extends the SELECT statement by providing the language to restrict rows returned based on one or more conditions. In a query conditions are separated by the operators. Arithmetic Operators interact with each other by following precedence hierarchy. Bracketed expressions are evaluated before multiplication and division operators, which are evaluated before subtraction and addition operators.Our Thesis proposes a new approach of SQL Injection attacks by presenting the selection part of a query as the main root of SQL Injection attack, and therefore uses a selection condition tree as the exhaustive tool for SQL Injection protection. SQL Injection attack is the vulnerability that results when you give an attacker the ability to influence the Structured Query Language (SQL) queries that an application passes to a back-end database. By being able to influence what is passed to the database, the attacker can leverage the syntax and capabilities of SQL itself, as well as the power and flexibility of supporting database functionality and operating system functionality available to the database. This approach discusses the problem of SQL Injection attacks by presenting a query vulnerable area as a tree and compares the tree for an original query with that of the query after the user has provided inputs. Original query is the query already designed by the programmer based on the information to be accessed in the database. If a user has made SQL Injection Attacks, it means he/she has changed the original query. When the two trees are different, the injection is detected; hence the query will not be executed.To implement select condition tree approach, we developed and implemented using java by applying the Model-View-Controller (MVC) architecture. The original query is found in the model part of the system. Indeed for each table whose data are to be accessed by the user through the view, there is an original query that is invariable and designed for data access. It is from this original query that the data model is built. Our approach will be efficient in such a way that it provides a full protection against SQL Injection attacks and its practicability will be proved during the implementation. |
PDF Full Text Request