Use of Query tokenization to detect and prevent SQL injection attacks

When using dynamic queries, there are lots of chances that a user may inject in the query some extra statements that can result in a different database request. SQL injection constitutes a mean by which data or information can be stolen from the database. Most applications are designed in a way that the request of data from database is done through user inputs. An attacker can inject in the original SQL query and obtain, change, or view data for which he does not have permission. The aim of our research is to develop a method that detects and prevents SQL injection attacks by checking whether user inputs cause changes in the query´s intended result. We proposed a method to detect SQL injection attacks by using Query tokenization that is implemented by the QueryParser method. When attacker is making SQL injection he should probably use a space, single quotes or double dashes in his input. Our method consists of tokenizing original query and a query with injection separately, the tokenization is performed by detecting a space, single quote or double dashes and all strings before each symbol constitute a token. After tokens are formed they all make an array for which every token is an element of the array. Two arrays resulting from both original query and a query with injection are obtained and their lengths are compared to detect whether there is injection or not. As a result, the access to data can be granted or denied once the lengths of the arrays are the same or different respectively.