Prevention of Website SQL Injection Using a New Query Comparison and Encryption Algorithm

Authors

  • Mahmoud Baklizi Computer Science/Network Department, Faculty of Information Technology, Al-Isra University, Amman, Jordan
  • Issa Atoum Sofware Engineering Department, Faculty of Information Technology, The World Islamic Sciences and Education, Amman, Jordan
  • Mohammad Al-Sheikh Hasan Computer Science Department, University of Petra, Amman, Jordan
  • Nibras Abdullah School of Computer Sciences, Universiti Sains Malaysia (USM), Penang 11800, Malaysia; Faculty of Computer Science and Engineering, Hodeidah University, Hodeidah P.O. Box 3114, Yemen
  • Ola A. Al-Wesabi School of Computer Sciences, Universiti Sains Malaysia (USM), Penang 11800, Malaysia;Faculty of Computer Science and Engineering, Hodeidah University, Hodeidah P.O. Box 3114, Yemen
  • Ahmed Ali Otoom Faculty of Science and Information Technology, Irbid National University, Irbid, Jordan

Keywords:

SQL Injection, Prevention, Character Spacing, SQLPMDS, SIUQAPTT, Bind SQL Injection

Abstract

Nowadays, a web application has become necessary in all organizations. Which deals directly with the databases in which data and information are stored, organized, retrieved, and processed. Therefore, most of its attacks are on databases. Therefore, web applications must be secure enough to prevent access to customs databases, destruction, and theft of bank accounts and transactions. Thus, most SQL injection attacks are carried out through character spacing, as it is the tool used by hackers to find a vulnerability on the web. This paper proposes a new algorithm to prevent hackers from accessing databases early on through the web application without accessing databases. The proposed algorithm is designed to protect the web application from being voluntarily inserted by using a bind parameter, blocking the hacker's address, and rejecting his request when executing the query. Also, this algorithm is designed to work in more than one layer, as it works at the web application and URL levels so that things are sufficiently protected. The comparison was made with the algorithms SQLPMDS, SIUQAPTT, and blind SQL injection, and the results showed that the presented algorithm gave better results based on more than one measure.

Downloads

Download data is not yet available.

References

Bayyapu, N., SQL Injection Attacks and Mitigation Strategies: The Latest Comprehension, in Advances in Cybersecurity Management, K. Daimi and C. Peoples, Editors. 2021, Springer International Publishing: Cham. p. 199-220.

Chen, D., et al., SQL Injection Attack Detection and Prevention Techniques Using Deep Learning. Journal of Physics: Conference Series, 2021. 1757(1): p. 012055.

Marashdeh, Z., K. Suwais, and M. Alia. A Survey on SQL Injection Attack: Detection and Challenges. in 2021 International Conference on Information Technology (ICIT). 2021.

Latchoumi, T.P., M.S. Reddy, and K. Balamurugan, Applied Machine Learning Predictive Analytics to SQL Injection Attack Detection and Prevention. European Journal of Molecular & Clinical Medicine, 2020. 7(2): p. 3543-3553.

Voitovych, O.P., O.S. Yuvkovetskyi, and L.M. Kupershtein. SQL injection prevention system. in 2016 International Conference Radio Electronics & Info Communications (UkrMiCo). 2016.

Shanmughaneethi, V., et al., SQLIVD - AOP: Preventing SQL injection vulnerabilities using aspect oriented programming through web services. Vol. 169. 2011. 327-337.

Lu, D., et al. A GAN-based Method for Generating SQL Injection Attack Samples. in 2022 IEEE 10th Joint International Information Technology and Artificial Intelligence Conference (ITAIC). 2022.

Nikita, P., Fahim, and S. Soni, SQL Injection Attacks: Techniques and Protection Mechanisms. International Journal on Computer Science and Engineering, 2011. 3.

Singh, N. and P. Tiwari. SQL Injection Attacks, Detection Techniques on Web Application Databases. in Rising Threats in Expert Applications and Solutions. 2022. Singapore: Springer Nature Singapore.

Kar, D. and S. Panigrahi, Prevention of SQL Injection attack using query transformation and hashing. 2013. 1317-1323.

Raut, S., et al., A Review on Methods for Prevention of SQL Injection Attack. International Journal of Scientific Research in Science and Technology, 2019: p. 463-470.

Kini, S., et al. SQL Injection Detection and Prevention using Aho-Corasick Pattern Matching Algorithm. in 2022 3rd International Conference for Emerging Technology (INCET). 2022.

Harefa, J., et al., SEA WAF: The Prevention of SQL Injection Attacks on Web Applications. Advances in Science, Technology and Engineering Systems Journal, 2021. 6: p. 405-411.

Ojagbule, O., H. Wimmer, and R.J. Haddad. Vulnerability Analysis of Content Management Systems to SQL Injection Using SQLMAP. in SoutheastCon 2018. 2018.

McWhirter, P.R., et al., SQL Injection Attack classification through the feature extraction of SQL query strings using a Gap-Weighted String Subsequence Kernel. Journal of Information Security and Applications, 2018. 40: p. 199-216.

Chaki, S.M.H., M. Mat Din, and M. Md Siraj, Integration of SQL Injection Prevention Methods. International Journal of Innovative Computing, 2019. 9(2).

Maheshwarkar, B. and N. Maheshwarkar, SIUQAPTT: SQL Injection Union Query Attacks Prevention Using Tokenization Technique. 2016. 1-4.

Binu, S. and A. Albert, Proposed Method for SQL Injection Detection and its Prevention. 2018.

Aljebry, A.F., Y.M. Alqahtani, and N. Sulaiman. Analyzing Security Testing Tools for Web Applications. in International Conference on Innovative Computing and Communications. 2022. Singapore: Springer Singapore.

Yenduri, R. and M. Al-khassaweneh. PHP: Vulnerabilities and Solutions. in 2022 2nd International Mobile, Intelligent, and Ubiquitous Computing Conference (MIUCC). 2022.

the proposed methodology

Downloads

Published

16.01.2023

How to Cite

Baklizi, M. ., Atoum, I. ., Al-Sheikh Hasan, M. ., Abdullah, N. ., Al-Wesabi, O. A. ., & Otoom , A. A. . (2023). Prevention of Website SQL Injection Using a New Query Comparison and Encryption Algorithm. International Journal of Intelligent Systems and Applications in Engineering, 11(1), 228–238. Retrieved from https://ijisae.org/index.php/IJISAE/article/view/2462

Issue

Vol. 11 No. 1 (2023)

Section

Research Article

License

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.

IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.

Most read articles by the same author(s)