An Approach to Detection of SQL Injection Attack Based on Dynamic Query Matching

A large number of web applications, especially those deployed by companies for e-business operations involve high reliability, efficiency and confidentiality. Such applications are often written in script languages like PHP embedded in HTML, allowing establishing connection to databases, retrieving data, and putting them in the Web. One of the most common in web application attacks is SQL Injection. In this an attacker attempts to use malicious crafted input strings so that the dynamic SQL queries generated by the web application is different from the structure designed by the developer. In this paper, an attempt has been made to classify the SQL Injection attacks based on the vulnerabilities in web applications. A brief review of the existing approaches for the detection of SQL injection attack also has been presented. Further paper presents an effective detection method (DUD) for the SQL injection based on dynamic query matching. The DUD approach is independent of the developerʹs initialization of syntactical rules, valid trusted string database, static or pre-generated program code checking, etc. Also, DUD is significant in view of its simple detection mechanism as well as its high detection rate.