Securing web applications against SQL injection attacks - A Parameterised Query perspective)

2023 International Conference on Science, Engineering and Business for Sustainable Development Goals (SEB-SDG) Pub Date : 2023-04-05 DOI:10.1109/SEB-SDG57117.2023.10124613

J. Okesola, A. Ogunbanwo, Ayoade A. Owoade, Emmanuel O. Olorunnisola, Kennedy Okokpuji

{"title":"Securing web applications against SQL injection attacks - A Parameterised Query perspective)","authors":"J. Okesola, A. Ogunbanwo, Ayoade A. Owoade, Emmanuel O. Olorunnisola, Kennedy Okokpuji","doi":"10.1109/SEB-SDG57117.2023.10124613","DOIUrl":null,"url":null,"abstract":"SQL Injection attack is a major threat to web applications and source of concerns to e-commerce in particular. The attack bypasses major security measures to execute malicious SQL codes and have absolute control of the database server behind the web application. Going by millions of dollars being spent yearly by various organizations to guide against the attack, it is imperative to have a better understanding of how SQL Injection works and how best it could be prevented. Using an e-commerce application as a case study, this paper demonstrates how Parameterized Queries could be used to defend SQL Injection attacks. With prepared statements in Java where LoginController was employed as the Servlet to control the application login procedure, Parameterized Queries were successfully incorporated into an e-commerce application. The implementation results shows that SQL injection is no longer possible as every code from attackers could not be executed because input was set to be data and data would be treated differently from codes.","PeriodicalId":185729,"journal":{"name":"2023 International Conference on Science, Engineering and Business for Sustainable Development Goals (SEB-SDG)","volume":"272 3","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2023-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 International Conference on Science, Engineering and Business for Sustainable Development Goals (SEB-SDG)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SEB-SDG57117.2023.10124613","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

SQL Injection attack is a major threat to web applications and source of concerns to e-commerce in particular. The attack bypasses major security measures to execute malicious SQL codes and have absolute control of the database server behind the web application. Going by millions of dollars being spent yearly by various organizations to guide against the attack, it is imperative to have a better understanding of how SQL Injection works and how best it could be prevented. Using an e-commerce application as a case study, this paper demonstrates how Parameterized Queries could be used to defend SQL Injection attacks. With prepared statements in Java where LoginController was employed as the Servlet to control the application login procedure, Parameterized Queries were successfully incorporated into an e-commerce application. The implementation results shows that SQL injection is no longer possible as every code from attackers could not be executed because input was set to be data and data would be treated differently from codes.

查看原文本刊更多论文

保护web应用程序免受SQL注入攻击——参数化查询的视角)

SQL注入攻击是对web应用程序的主要威胁，尤其是对电子商务的威胁。这种攻击绕过了主要的安全措施来执行恶意SQL代码，并且完全控制了web应用程序背后的数据库服务器。由于各种组织每年花费数百万美元来指导防止攻击，因此有必要更好地了解SQL注入的工作原理以及如何最好地防止它。本文以一个电子商务应用程序为例，演示了如何使用参数化查询来防御SQL注入攻击。使用Java中准备好的语句，其中LoginController被用作控制应用程序登录过程的Servlet，参数化查询被成功地合并到电子商务应用程序中。实现结果表明，SQL注入不再是可能的，因为攻击者的每个代码都不能执行，因为输入被设置为数据，并且数据将与代码区别对待。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2023 International Conference on Science, Engineering and Business for Sustainable Development Goals (SEB-SDG)

自引率

0.00%

发文量