Effective Prevention Of Ms Sql Injection Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.


This chapter presents the background of the study, the problem statement, the research question, the objective of study, the significance of study, and scope of the study.


Today, most web application provides with high security technology. Unfortunately, this web application can be attacks by a hacker whom try to disturb their organization. From the literature review that we find, SQL injection is types of security attack, which attack web applications that being use database services. There are three forms of MS SQL injection as shown below:

Figure 1.1 MS SQL injection forms

Figure 1.1 is shown the three forms of MS SQL injection, the first form of MS SQL injection is the incorrectly filtered escape characters, this form of MS SQL injection occurs when user input is not filtered for escape characters, and then transferred to the SQL statement. This results in the possible manipulation of the statements made on the database end-user applications.

The second form of MS SQL injection is the incorrect type handling. This form of SQL injection occurs when a user supplied field is not strongly typed or not to control the type constraints. This would occur when the numeric fields to be used in SQL instruction, but the programmer does not check to confirm that user input is numeric.

The third form of MS SQL injection is the blind SQL injection, a blind SQL injection "is used when a Web application is vulnerable to SQL injection, but the results of the injections are not visible to the attacker. About the vulnerability cannot be one that displays the data, but will appear differently depending on the outcome of legal logic is injected into the SQL statement called for this page. This type of attack can be intense, because a new request must be every bit recovered. There are several tools that can automate these attacks after the location of the vulnerability and target information was created.

In this research, I'm going to give a solution for the first and second forms. The third from, I can't solve it in this time so it will be in my future work and for other researchers and developer if they can develop software or give an idea to prevent the blind SQL injection in the web application.

How happens to be the user login form fields then the database request, typically SQL statement. In SQL injection, the attacker provides user input those results in the difference database request. That’s meaning, user input in an SQL statement in the different form than original intended. In short, this attack happens when user input is parsed as SQL tokens then were changing the semantics of the underlying query. Aim of SQL injection is to query the database a manner that was not the intent of the application programmer. There are several techniques that been being use in SQL injection. Most of them use SQL statement in different SQL Injection techniques. Usually attackers try to get information about username and password. Then, most company faces this problem in keep their important information about company. From this problem in web application, I'm doing my research to find the solution of prevent SQL injection in web application.

Increased dependence on web applications significantly and use in the activities of our daily lives, for example: when we do bookings, or pay the bills, we expect these applications to be safe and reliable, means the user can access in a normal way as shown in Figure 1.2 (Cerrudo, 2007). As the availability of these applications on the rise, there was a similar grow in the number and level of attacks that target them.

Figure 1.2 Normal accesses to the web application (Cerrudo, 2007)

One of the most kinds of attacks against Web applications are injected into the query language (SQL). Injection of the query language is the type of attacks that exploit the weakness or gaps in the program. Support attackers to add MS SQL code to the variables passed to the system, so that it is implemented with the basic code in the system and then could allow an attacker unauthorized access to the database system or retrieve sensitive information from the databases as shown in Figure 1.3 (Cerrudo, 2007).

The following example gives an idea of a simplified query language injection:

select * from OrdersT where SCity = ' " + SCity + " ';

Request the user to enter the city name. If Redmond enters the code will be:

SELECT * FROM OrdersT WHERE SCity = 'Redmond'

But if the user writes the query below:

Redmond'; drop table OrdersT â€"

So the code will be:

SELECT * FROM OrdersT WHERE ShipCity= 'Redmond';drop table OrdersT--'

Semicolons (;) refers to the end of the code and the beginning of another. Double hyphen (--) indicates that the remainder of the code is the suspension and should be omitted. If the modified code is writing correctly, in this case the server will apply it. When the server applied this code, in the beginning will select all records in terms of OrdersT where SCity is Redmond. And then will delete the table OrdersT from the database.

Figure 1.3 SQL injection access the server (Cerrudo, 2007)

As long as the code added to the MS SQL code is correct in writing, the manipulation of the cipher cannot detect it programmatically.

In this project, I will talk about what these injections, risk databases, and finally I will discuss solutions and ways to protect against these attacks, to make our web application safe and secure from Structured Query Language (SQL) injection.

A security threat on the Internet is one of the biggest challenges in this time with the great advances in techniques used for attacks. One of the easiest and most serious of these attacks is the MS SQL injection attacks that have come to represent a serious threat to any site or application that contains a database. These attacks would agree to the attacker to get sensitive data and the value of databases. A method of this attack is easy to learn and the damage caused ranging from reasonable to the detriment of the whole system. Regardless of the damage there are a lot of applications on the Internet vulnerable to this attack. Using some ways can prevent such attacks completely.


An MS SQL injection attack is a serious threat to the database from anywhere. A method of attack is easy to use and the damage can range from significant to complete system compromise. Despite these threats to an incredible number of systems on the Internet, but there are many systems not susceptible to this form of attack. (Schwartau, 2001).

SQL injection is one of the most famous vulnerabilities for web-based applications. Use of SQL injection vulnerabilities (SQLIV) during successfully attacks might result in severe cost such as authentication bypass, leaking of private information, etc. (Shahriar, H., & Zulkernine, M. 2008).

Most Web applications use middleware technology designed to obtain information from a relational database SQL. SQL injection is a common technique used by hackers employ to deal with these Web applications. These attacks reforms SQL queries, thus changing the behavior of programs for the hackers. (Buehrer, G., Weide, B., & Sivilotti, P. 2005(.

SQL injection attacks are the greatest current threat to the web applications. Statistics gathered from across the tests show that nearly two thirds of all Web applications are vulnerable to MS SQL injection attacks. (Maor & Shulman, 2003).

The principal consequences arising from the MS SQL injection attacks are:

Impact on the verification of user identity (Authentication), where the attacker can connect to the system without knowing the username and password by using the MS SQL injection.

Impact on confidentiality when an attacker unauthorized access to the database system and see the sensitive data.

Impact on the integration (Integrity) as the attacker can see sensitive data; it can also use the MS SQL injection of the adding and editing to sensitive data. And also impact on the continued availability of service (Availability) when the attacker can scan the data and tables from the databases.


This project will attempt to answer the following questions:

How to harden Web Application Security or tight user's authentication (user name and password) against SQL Injection Attack?

How to conduct an effective prevention of MS SQL injection.


The security of the databases is critical, especially with the spread and evolution of attacks on networks and systems. It is a particularly important increase in the importance of data to be protected. There are many ways and means used to provide security for databases, including what we will address in this research, the means of protection from the MS SQL injection.

The implement of this project will try to achieve the objectives below:

To protect the website from the unauthorized access such as knowing the identity of the user (Authentication & Confidentiality).

To prevent unauthorized data modification on original data to retain data integrity and authentic data (Integrity).

To evaluate the proposed MS SQL injection prevention in web application.


The research scope is to supply the web application high security from MS SQL injection attacks with the appropriate details of how to protect your own website for designers from this attack, so that they can be confident about the web application anytime and anywhere. This project will support the ASP web designer to prevent them website from MS SQL injection attacks.

The web applications' users will be the administrator and the unauthorized users. Technically, the visual studio 2008 will use to design the site which is going to evaluate it, and also I will use the SQL server 2008 to be use for creating the database in this site.


This research would contribute by making websites more secure against the threats of the query language injection, and elimination of security breaches that occur during the injection of the query language by checking user input by testing type of entrance, length, shape and extent of the possibilities that take this entrance.

The MS SQL injection is a major threat to the security of the database if not handled properly. The attackers can access the system to steal data, modify or destroy data. Programmers and software developers they should never trust any inputs from the users because that input cannot be trusted, and deal with all the inputs with caution until they provide the most possible security databases.


The study will present five chapters that introduce:

Chapter one: Gives an introduction, necessary for the understanding of concept used in later chapters and overview of the research.

Chapter two: Discusses about literature reviews, previous related work, and more information to understanding the research.

Chapter three: View and discuss the methodology which used in this project.

Chapter four: Discusses analysis and design as well as show the result of findings.

Chapter five: Contains the conclusion and recommendations.


First chapter includes the main issue of preventing MS SQL injection in web application. It included an introduction of the study, problem statement, research objectives, scope, and research significance. The main objective of this research is to protect the website from the unauthorized access such as knowing the identity of the user.