1

A System for the prevention of SQL injection attacks

Rasha Alqahtani
Ra17@hood.edu
Spring 2023

Introduction
The security and reliability of web applications are critical for individuals and organizations
alike, as they often deal with sensitive data and transactions. In recent years, the prevalence of
cyber-attacks has increased rapidly, leading to the emergence of new and advanced methods
for attack. One of the most common forms of cyber-attack is SQL injection. SQL injection is a
technique that exploits vulnerabilities in the software application to execute malicious SQL
queries. Once successful, the attacker can access sensitive information, modify data, or even
delete entire databases.
To prevent SQL injection attacks, a robust and effective prevention system is needed. This
capstone project aims to design and implement a SQL injection prevention system that will
prevent SQL injection attacks in real-time.
Building an effective SQL injection prevention system can be challenging, as attackers are
constantly evolving their techniques to circumvent security measures. The challenges such as
complexity of SQL queries, legacy code, false positives, performance impact, evolving attack
techniques and lack of resources are hard to manage.

The proposed system will use a combination of techniques, including input validation,
parameterized queries, and code analysis. The system will be implemented in a web
application, and the effectiveness of the system will be evaluated through testing using a range
of SQL injection attacks. The system will be provided with best practices to prevent SQL
injection attacks.
This project's main objective is to develop a SQL injection prevention system that can
effectively detect and prevent SQL injection attacks while maintaining the integrity and
functionality of the application. This project will also provide an opportunity to explore
different approaches to prevent SQL injection attacks, including their strengths and
weaknesses. The project will provide the best practical solutions to real-time web applications.
The remainder of this thesis will provide an overview of the SQL injection attack, its
consequences, and the different methods used to prevent such attacks. It will then describe the
 2

proposed SQL injection prevention system and provide details of its implementation. Finally,
the thesis will present the results of the testing of the system and discuss its effectiveness in
preventing SQL injection attacks.

Appendix A: Prospectus
1.Research Problem
In cybersecurity, SQL injection attacks lead to data integrity, availability, and authentication
issues. It is the exploitation of databases. In 2021, SQL injections were third most serious
cybersecurity risk. There are 274000 SQL injection attacks that occurred this year. These attacks
are technology which compromises the backend infrastructure. According to NIST Computer
Security Division, Information Technology Laboratory, there are thousands of security vulnerabilities
related to SQL injections as an example is shown in fig 1.1.

Fig 1.1: A list of security vulnerabilities related to SQL injection from the Computer Security Division at
NIST

2.Assumptions
 3

In cybersecurity field, security assumptions often lead to false positives. But SQL injection is an
OSI model layer 7 attack. Such attacks are the cause of massive breakdown of security systems.
The following are some journals related to SQL injection attacks.
(a) SQL Injection Attacks Prevention System by Fairoz Q.Kareem[1]

(b) Review of SQL Injection: Problems and Prevention Mohd Amin Mohd Yunus, Muhammad Zainulariff
Brohan, Nazri Mohd Nawi, Ely Salwana Mat Surin*, Nurhakimah Azwani Md Najib, Chan Wei Liang [1]

3.Abstract
In this paper, we are reviewing the methodology used in SQL injection attacks and their
prevention. In today's world, SQL Injection is a serious security threat over the Internet for the
various dynamic web applications residing over the internet. These Web applications conduct
many vital processes in various web-based businesses. This paper outlines the impact of such
attacks and gives solutions to prevent them.
The vulnerabilities in most web applications enable hackers to gain access to confidential and
confidential information. Structured query injection poses a significant threat to web
applications and is one of the most common and widely used information theft mechanisms.
Where hackers benefit from errors in the design of systems or existing gaps by not filtering the
user's input for some special characters and symbols contained within the structural query
sentences or the quality of the information is not checked whether it is text or numerical, which
causes unpredictability of the outcome of its implementation. In this paper, we review PHP
techniques and other techniques for protecting SQL from the injection, methods for detecting
SQL attacks, types of SQL injection, causes of SQL injection via getting and Post, and prevention
technology for SQL vulnerabilities

4.Introduction
A SQL injection is a technique that attackers use to compromise the database security of target
system. These are the oldest and most common techniques that can be very destructive. The
prevention of such attacks is done through input validation and parameterized queries and
statements. The application code should never use the input directly. All the inputs should be
sanitized properly.
Website applications play an essential part in daily life in today's technology-driven world.
People use websites for various purposes, including internet shopping, banking, and chatting
with friends. Often, websites use databases to store user data on the backend [1]. Since
sensitive information, including passwords, credit card numbers, and social security numbers, is
kept in such files, malicious hackers often attack them [2-4]. According to an analysis of
numerous hacking events, when operating system security improves and security protection
software and hardware solutions become more widespread, network attacks directly triggered
by operating system vulnerabilities decrease year after year, while the usage rate of WEB
 4

application system vulnerabilities increases. Because of its easy syntax and high development
performance, Python has become the language of choice for developing all types of portal
websites and Web application programs. Django architecture is a Python language
development environment with fast speed, high compatibility, free open source, and other
benefits [5]. Based on the current traffic levels, about 70% of the Django architecture relies on
the present-day network conditions [6]. Since the Python early design process is over-efficient
and transparent, some necessary security specifications in the programming language are not
strictly restricted [7]. Adding delicate data is needed. It is counterproductive because the
programmer lacks their security knowledge while the machine functions are jeopardized [8].

5.Research Questions
The following are some of the questions on SQL injection prevention system:

• What are the different techniques used to do SQL injection attacks?

• What are the different methods being used to prevent such attacks?
• How is penetration testing carried out on the system?

6.Expected Outcome
The SQL injection prevention system will be helpful to prevent the attacks. The following
outcome will come:

• The diverse ways of SQL injection attacks carried out

• The database is provided with such methods as input validation, parameterized queries,
whitelist input, escaping special characters are used to prevent such attacks
• The tools will be used to do SQL injection attacks onto the system to check the
vulnerabilities of the system

7.Project Plan
There will be a web-app containing Python as a backend. The website would have log-in and
sign-in forms to get onto the website. There will be a database of users. The SQL queries will be
designed according to the following techniques to prevent SQL injection. The different methods
are used to prevent attacks:
 5

Fig 7.1: A workflow model to prevent SQL injection

• Using the query parameters in SQL:

• Using stored procedures
• Web application firewall
• Input Validation
• Using SQL Composition
Password hashing
Password hashing is defined as putting a password through a hashing algorithm (bcrypt, SHA,
etc) to turn plaintext into an unintelligible series of numbers and letters. The flow control
mechanism of password hashing is shown below in fig 7.2
 6

Fig 7.2: A password hashing mechanism

Vulnerability Testing
After designing the database and configuring the web app, the SQL injection attacks will be
carried out onto the web-app. The attacks will be used to know how secure the system against
SQL injection attacks is.

The following malicious tricks will be brute forced to show SQL injection vulnerabilities:

• Login injection
• Union injection
• Bypassing Login Screens
• Bulk insert
Then some tools will also be used to carry out the SQL injection attacks as followings:

• Blind SQL Injection.

• SQLmap
• Time Based Blind SQL Injection.
• Deep Blind (based on advanced time delays)
• SQL Injection Error Based SQL Injection.

8.Anticipated Difficulties & Pitfalls

 7

In the last 12 months, sixty five percent of organizations experienced SQL injection attacks.
Testing SQL vulnerabilities can be difficult because such malicious code is simple and hard to
identify. Black-box SQL injection vulnerability testing has traditionally been difficult because
SQL errors generated from attack string inputs can be swallowed or masked by the application
from end users. The tester knows his input caused an error but is unsure whether there is a
vulnerability or not.

References
[1] Fairoz Q.Kareem, “SQL Injection Attacks Prevention System” in Asian Journal of Research in
Computer Science, vol. 10, no. 3, pp. 13-32, 2021, Article no. AJRCOS.70376, ISSN: 2581-8260.
[2] Mohd Amin Mohd Yunus, Muhammad Zainul ariff Brohan, Nazri Mohd Nawi, Ely Salwana
Mat Surin*, Nur Hakimah Awani Md Najib, Chan Wei Liang, “Review of SQL Injection: Problems
and Prevention” in INTERNATIONAL JOURNAL ON INFORMATICS VISUALIZATION, VOL 2 (2018) NO 3
- 2 e-ISSN: 2549-9904 ISSN: 2549-9610.

[3] Antunes N, Vieira M. "Comparing the effectiveness of penetration testing and static code
analysis on the detection of sql injection vulnerabilities in web services," in 2009 15th IEEE
Pacific Rim International Symposium on Dependable Computing. 2009;301-306.

[4] Halfond WG, Viegas J, Orso A. "A classification of SQL-injection attacks and
countermeasures," in Proceedings of the IEEE international symposium on secure software
engineering. 2006;13-15.
[5] Patel N, Mohammed F, Soni S. SQL injection attacks: techniques and protection
mechanisms. International Journal on Computer Science and Engineering. 2011; 3:199-203.
[6] Ntagwabira L, Kang SL. "Use of query tokenization to detect and prevent SQL injection
attacks," in 2010 3rd International Conference on Computer Science and Information
Technology. 2010;438-440.
[7] Zhang H, Zhang X. "SQL injection attack principles and preventive techniques for PHP site,"
in Proceedings of the 2nd International Conference on Computer Science and Application
Engineering. 2018;1-9.
[8] Stobart S. Vassileiou M. "MySQL database and PHPMy admin installation," in PHP and
MySQL Manual, ed.