TransSQL: A Translation and Validation-Based Solution for SQL-injection Attacks

Author

Zhang, Kai-Xiang ; Lin, Chia-Jun ; Chen, Shih-Jen ; Hwang, Yanling ; Huang, Hao-Lun ; Hsu, Fu-Hau

Author_Institution

Comput. Sci. & Inf. Eng., Nat. Central Univ., Jhongli, Taiwan

fYear

2011

fDate

21-23 Nov. 2011

Firstpage

248

Lastpage

251

Abstract

SQL injection attacks, a class of injection flaw in which specially crafted input strings leads to illegal queries to databases, are one of the topmost threats to web applications. A number of research prototypes and commercial products that maintain the queries structure in web applications have been developed. But these techniques either fail to address the full scope of the problem or have limitations. Based on our observation that the injected string in a SQL injection attack is interpreted differently on different databases, in this paper, we propose a novel and effective solution TransSQL to solve this problem. TransSQL automatically translates a SQL request to a LDAP-equivalent request. After queries are executed on a SQL database and a LDAP one, TransSQL checks the difference in responses between a SQL database and a LDAP one to detect and block SQL injection attacks. Experimental results show that TransSQL is an effective and efficient solution against SQL injection attacks.

Keywords

Internet; SQL; computer crime; program verification; query formulation; query processing; LDAP-equivalent request; SQL database; SQL-injection attack; TransSQL; Web application; illegal database; illegal query; injected string; injection flaw; query structure; validation-based solution; Bridges; Databases; Libraries; Monitoring; Runtime; Security; Testing; LDAP; SQL injection; web security;

fLanguage

English

Publisher

ieee

Conference_Titel

Robot, Vision and Signal Processing (RVSP), 2011 First International Conference on

Conference_Location

Kaohsiung

Print_ISBN

978-1-4577-1881-6

Type

conf

DOI

10.1109/RVSP.2011.59

Filename

6114949