Survey Of Sql Injection Attack Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

With the developed technology the use of computer and internet increased there is no company in the world that does not use computer and internet for work. But due to the use of computer and internet the data of users become unsecure the hackers try different techniques and hack the data. By hacking the data and other information they company get affected in terms of finance and work. Some time it is difficult to recover the data after the attack of the hacker. As the technology advance the attacks increases and security experts are working on these things that how to get rid of these attacks. In this paper we will discuss that how the structured query language injection work and effect the web application and also discuss about the countermeasure which help us to prevent these attacks.

With the passage of time the internet becomes the important part of life even in the houses it also become the part of life. With the use of internet we get connected to the world we can access anything which we want we can get e.g. we can listen and read news, collect information on all topics, can buy and sell anything online etc. But as the technology become vast and developed the hacker and crackers came in to the market and they began to hack the website and crack the passwords as the result the use on internet become risky and due to internet the virus get into the computers and it corrupt and sometime hack the important data. Like this different types of hacking techniques came in to being and as the techniques developed on the other hand the companies tried to secure their system. So they developed some security software's and create some security checks as the result the hacking become difficult and it became very difficult to hack the computer or website.

In this paper we will discuss about the SQL injection attack on the website and take a survey on the attacks which happened in 2011 and then we will discuss that how we can protect our websites from this type of attacks. The first section of this paper is introduction while the section II tells us that what is structured query language (SQL) then section III contain the discussion about the SQL Injection, IV section consist on forms of SQLi attacks. Section V is of types of attacks and section VI deals about the risk which are associated with this attack. Section VII cover the discussion that why we need to avoid these types of attacks. Section VIII covers a survey on the attacks which take place in 2011 and section IX is of information about SQLi attacks. Section X tells us the countermeasure for the SQLi and section XI is of types of attack that the countermeasure can stop. While second last portion is conclusion and last section is references.

What is Structured Query Language (SQL)

SQL stands for Structured Query Language. It is a special type of programming language designed for managing data the SQL held in a relational database management systems (RDBMS). It is originally based on the relational algebra and tuple relational calculus. It also consists on data definition and data manipulation language.

SQL have the features of data insert, query update, update, delete, modification etc. and it also includes the procedural elements. SQL was one of the first commercial languages. [1] It is most widely used language. [2][3] It became the standard of American National Standard Institute (ANSI) and of the International Organization for Standards (ISO) in 1987. [4] And the SQL also modified with the passage of time.

It is basically for website designing and due to website designing it also meets with different types of security attacks. In this paper we will discuss the security attacks on SQL and take a survey of attacks in 2011.

SQL Injection

There are many methods through which the attacker can attack on the website in this paper we will discuss the method which is called SQL Injection shortly named as SQLI. SQLI attack is often used to attack the data driven applications. [5] This type of attack is done by including the SQL statement in any entry field in an attempt to get the website to pass into a newly roughly SQL command to the database. The SQLI is a code injection technique and by the injection of the code the security weakness is activated in the application software which will harm the data as well as website. The reason for this type of attack is the incorrectly filtered for literal escape character embedded in SQL statements or user input is not strongly typed and unexpectedly executed. It is mostly know as an attack vector for website but it can be used to attack on any type of SQL database. It is noted that in operation environment the application faces an average of 71 attacks per hour. [6]

Forms of SQL Attacks and Validity

This attack is considering one of the top 10 web application vulnerabilities of 2007 and 2010 by the Open Web Application Security Project. [7] It contains five main sub-classes depending on the technical aspects of the attack's deployment:

Classic SQLIA

Inference SQL injection

Interacting with SQL injection

Database management system-specific SQLIA

Compounded SQLIA

SQL injection + insufficient authentication [8]

SQL injection + DDoS attacks [9]

SQL injection + DNS hijacking [10]

SQL injection +XSS [11]

Types of SQLI Attack

Incorrectly filtered escape characters

This type of attack occurs when user input is not filtered for leakage characters and is then passed into a SQL statement. This result in the potential operation of the statements performed on the database by the end-user of the application.

Incorrect type handling

This form of SQL injection occurs when a user-supplied field is not typed efficiently or is not tested for type constraints. Incorrect type handling is used when a numeric field is to be used in a SQL statement while the programmer makes no checks to validate that user supplied input numeric.

Blind SQL injection

When the web application is weak to an SQL injection then the Blind SQL Injection is used but the result of this injection can't be seen by the attacker. The page with the weakness may not be one that displays data but will display differently depending on the results of a logical statement injected into the valid SQL statement called for that page. This type of attack can time serious attack because a new statement must be created for each bit recovered. And there are a number of tools which power this type of attacks once the location of the weakness and target information is established. [12]

Risks Associated with SQL Injection

Some of the SQL attacks are automated and it can be carried out automatically and if the attacker attacks but gain nothing then the treat will disappear soon. But those who attack using SQL injection find the weakness and attack on it and make it profitable as the attackers can access the database as the result of this access the attackers can sold the data or can delete it. While the advance techniques of attacks allows the attackers to access the whole system unrestricted SQL injection can also be used in tandem with other exploits, such as cross-site scripting, to manipulate how data is displayed to a web site's visitors. [13]

Not preventing SQL Injection attacks leaves your business at great risk of: [13]

Changes to or deletion of highly sensitive business information.

Steal customer information such as social security numbers, addresses, and credit card numbers.

Financial losses

Brand damage

Theft of intellectual property

Legal liability and fines

Need to avoid the SQL Injection Attacks

SQL injection is not a new technique as it has been discovered 10 years ago but in recent years there is a dramatic increase in the number of SQL attacks and the losses due to these attacks. In 2008 more than 500,000 web pages are affected due to the attacks and as the result of these attacks the passwords of users are hacked while the recent research confirms that the total of 450,000 attacks take place per day. [13]

But these attacks can be avoided by using proper tools for protection and also proper knowledge about the attacks can help us to in protection. While the attack identifies the weakness and then attack on them as the result attackers get access to the database a database is usually stores data in tables and procedures. [13]

In SQL injection method the attackers aim is to steal or modify the information, data in the database. The SQL Injection attack injects the malicious queries which cause the manipulation of data. Round about all the database of the SQL and programming languages are potentially weak and that's why 60% of website face SQL injection. The threat posed by SQL injection attacks is not solitary. Combined with other vulnerabilities like cross-site scripting, path traversal, denial of service attacks, and buffer overflows the need for web site owners and administrators to be vigilant is not only important but overwhelming.[13]

Survey of attacks in 2011

The table shows the Survey of SQLi attacks in 2011 and there estimated loss during the attacks. [14]


Company Name

Attack Type

Attack Details

Estimated Loss

April 20

Sony Playstation Network


LulzSec claims to shave stolen personal information from millions of users from PSN and Qriocity. 100 million users affected.

US $13.4 Billion

April 26



Lulzsec steal information of more than 250,000 pe0ples from Fox's show the Xfactor. Few days later personal data of employees are stolen some Linkedin accounts defaced.

US $15 Million

May 10

Citigroup Inc


Some users discover a breach on the online platform pand steal data belonging to 200,000users.

US $2.7 Million

June 16



Hackers acquire 1,290,755 users' name, emails addresses, date of birth and encrypted passwords.

US $77 Million

July 8

IRC Federal


In name of Antisec Movement, Anonymous claims to have hacked another FBI contractor, ORC Federal, dumping the stolen data at The Pirate Bay.

Not Knownn

July 11

Booz Allen Hamilton


Anonymous attacks consulting film Booz Allen Hamilton and releases details on internal data including 90,000 military emails and passwords.

US $30,388,000,00

July 25

GIS (A subsidiary of Austrian Broadcaster ORF)


Anonymous Austria acquires 214,000 data files, including 96,000 containing sensitive bank account information.

US $45,796,000,00

Aug 1

PCS Consultants


Another U.S. Government contractor, PCS Consultants gets hacked by Anonymous & Antisec. Hackers extract website Database and leak it on the internet via Twitter on Pastebin (as usual!). Leaked Data include Admin's and 110 users' emails, plus passwords in encrypted hashes.

Not available

Aug 6

Law Enforcement Agencies


After the first attack to Law Enforcement Institutions in July, Anonymous and LulzSec, as part of what they define the ShootingSheriffsSaturday, leak again 10 Gb of Data from the same Law Enforcement Agencies, including private police emails, training files, snitch info and personal info. The attack was made in retaliation for anonymous arrests

Not available

Aug 22


@ThEhAcKeR12, an admirer of Anonymous acts independently to breach an outsourced provider and steal a customer list with 20,000 log-in credentials. Many on the list were U.S. government employees.

US $4,280,000

Sep 3

Indian Government


An Indian Hacker named "nomcat" claims to have been able to hack into the Indian Prime Minister's Office Computers and install a Remote Administration Tool) in them. He also Exposes the Vulnerability in Income Tax website and Database Information.

Not available

Sep 5

Uronimo Mobile Platform


The Uronimo Mobile platform is hacked by Team Inj3ct0r. They leak the web site database and release on Pastebin internal data including Username, Hash Password, emails and Phone Numbers of 1000 users.

US $214,000

Sep 26

Austrian Police


The Austrian Anonymous branch publishes the names and addresses of nearly 25,000 police officials, raising fears for officers' personal security. An Austrian Interior ministry spokesman said the information came from an "association closely related with the police".

US $5,400,00

Oct 10


UKGraffiti is hacked by Anonymous_DR (Anonymous Dominicana) who also dumps usernames, emails and encrypted passwords.

Not available

Oct 14

Venezuela National Graduate Advisory Council


A cyber-attack done by @SwichSmoke, this time they leak the Venezuela National Graduate Advisory Council and release the leaked data on pastebin.

Not available

Oct 24


The database of (containing 715,000 customers) is leaked. Stolen information includes 1,200,000 tickets and 80,000 passport numbers.

US $153

Oct 26


314 job seekers' e-mail addresses and clear-text passwords acquired and dumped.

US $67,000

Nov 8

Oh Media Network


A huge dump by TeamSwas Tika after the Facebook dump in October. The latest victim is OhMedia and the keajs include over sixty thousand accounts. Leaks contain emails and passwords.

US $13 Million

Nov 21



An unknown hacker releases a dump of 563 accounts from The leak contains emails and encrypted passwords.

US $120,000

Nov 23

Club Penguin V


309 usernames, e-mails addresses, passwordsand IP from Club Penguin Private Server are dumped on pastebin.

US $66,000.

Nov 27

IIIT-H Alumni Association


Another example of the cyberwar between India and Pakistan. The Hyderbad Alumni Association website is hacked and has a dump of 550+ user accounts on pastebin.

US $120,000

Nov 30


This is hacked with 2744 accounts leaked.

US $590,000

Dec 4



The Yamaha Racing Factory Website ( 9s hacked and the hacker leaks the section of their database that contains customer credentials. A number of 10,000 email addresses, username and clear text passwords is leaked.

US $2,140,000

Dec 6



A hacker going by the name of Tringle2011 hacks and dumps an amount of information from the ENPI website. ENPI is a project supported by the European Commission. The leak contains nearly 300 accounts from the newsletter subscriber with encrypted passwords.

Not available

Dec 10



A game site becomes the victim of hackers who leaks the database and more than 100 user and administration accounts logins.

US $21,400

Dec 22


The long trail of security breaches in China continues. Another gaming site is breached and data belonging to million users are dumped on the internet.

US $1.7 Billion

Dec 22


It is the fourth massive breach in China affecting game site and its 10 million accounts have been hacked

US $2.1 Billion

About SQL Injection Attacks

SQL injections attacks are the second most type of the attacks happened in the world it is 27% of the total attacks. On average, a targeted web application can suffer 71 SQL injection attempts an hour. While in some instances, SQL attacks on specific applications and websites have been recorded at a rate of up to 1,300 attempts per hour. These attacks have impacts that range from slowed site performance to complete denial of service. [15]

On the other hand there is the financial cost. Like in June 2012 attacks on LinkedIn resulted in nearly $1 million in instant remediation costs, as well as an additional $2-$3 million in requirement upgrades in order to avoid further attacks. This payment was made after more than 6.5 million passwords were stolen. Source: [15]

Protection from SQL injection Attacks

In order to protect website/applications from the SQLi attacks DotDefender's is used it is a unique security approach which eliminates the need to learn the specific threats that exist on each web application. The software that runs dotDefender efforts on examining the request and the impression it has on the application. Effective web application security is based on three powerful web application security engines:

Pattern Recognition

Session Protection

Signature Knowledgebase

The Pattern Recognition web application security engine used by dotDefender and it protects against malicious behavior such as SQL Injection and Cross Site Scripting. The patterns are regular expression-based and this pattern is designed in such a way that it accurately and efficiently identify the attack methods on the various applications and websites. Due to this reason it has extremely low false positive rate. [13]

Types of SQL injection Attacks that DotDefender Blocks

DotDefender blocks against various SQL Injection techniques including, but not limited to: [13]

Terminating queries using quotes, double-quotes, SQL comments.

Stored procedure names.

Comparison queries using commands such as BETWEEN, LIKE, ISNULL.

Database manipulation commands such as TRUNCATE, DROP.

Reserved words such as CASE WHEN, EXEC.

Blindfolded injection techniques such as Boolean queries and WAITFOR DELAY.

Database-unique attacks relating to Oracle, MySQL, MS-SQL.

Signature evasion techniques such as using CONVERT & CAST.

Buffer overflow attacks via SQL Injection.

XML and Web-Services encapsulating SQL Injection techniques.

Null byte signature evasion.

HEX encoding mixtures for signature evasion.

Using SQL CHAR () for signature evasion.

Zero-day protection against MS-SQL stored procedure attacks such as MS08-040.


From this paper we conclude that the major part of the attacks which the websites/applications face is the SQL injection attack. And this type of attacks damages the database and steals or changes the data in the database. It has different types which attack differently. We need to avoid these types of attacks because these attacks damage the database and sometime this attack can't be reversed. A survey of attacks in 2011 tells us that the rate of SQLi attacks is greater as compared to other types of attacks and the loss due to this type of attack is also high. In order to avoid this type of attack we have to use some precautions like we have to use the "dotdefender" it is an security approach and it is used to block the various types of SQLi attacks as the result of the blockage we can protect our website/application.