Presentation is loading. Please wait.

Presentation is loading. Please wait.

Database System Implementation CSE 507

Published byVictoria Gilbert Modified over 6 years ago

Similar presentations

Presentation on theme: "Database System Implementation CSE 507"— Presentation transcript:

1 Database System Implementation CSE 507
SQL Injection Database System Implementation CSE 507 Presented By: Manisha Sharma (MT15031) and Kanupriya Batra (MT15025)

2 Introduction When SQL is used to display data on webpages, it is common to let users enter their search values. txtUserId = getRequestString("UserId"); txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId; User Name : testUser Password : *****

3 SQL Injection - Definition
Technique where malicious users can inject SQL commands into an SQL statement via web input. Injected SQL commands can alter SQL statements and compromise the security of the web application.

4 SQL Injection based on 1=1 is always true
1501 or 1=1 User Name : Server Result : Retrieves all the rows from the table Users. What if the table contains the passwords?? Select * from Users where userid = 1501 or 1=1

5 sql injection based on Batched SQL Statements
Databases support batched SQL statement, separated by semicolon. Example: User id : Result : SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers Returns all rows from table Users and then delete the table Suppliers . You can prevent SQL injection if you adopt an input validation technique in which user input is authenticated against a set of defined rules for length, type and syntax and also against business rules. 105; DROP TABLE Suppliers

6

7 SQL Injection Prevention Ways

8 Need to prevent SQL Injection
SQL Injection vulnerability is one of the popular security breaches in applications' software which is easy to implement if security measure has not been taken during code implementation.

9 Ways to prevent SQL Injection
Using JAVA Prepared Statements (with Parameterized Queries) Parameterized queries force the developer to first define all the SQL code, and then pass in each parameter to the query later. PreparedStatement stmt = connection.prepareStatement("SELECT * FROM users WHERE userid=? AND password=?"); stmt.setString(1, userid); stmt.setString(2, password); ResultSet rs = stmt.executeQuery(); This code is not vulnerable to SQL Injection because it correctly uses parameterized queries, bind variables (i.e. the question marks) and the corresponding setString methods.

10 Ways to prevent SQL Injection
Providing Least Privilege minimize the privileges assigned to every database account in your environment Do not assign DBA or admin type access rights to your application accounts Rarely, if ever, grant create or delete access to database accounts. Stored Procedure These are designed to pass a password in, but it will never be put in any result set.  The stored procedures for registering and authenticating a user for the website might be: RegisterUser VerifyCredentials ChangePassword Validate data if the stored procedure is going to use EXEC(some_string)

11 Ways to prevent SQL Injection
Cleaning and Validating input Used to detect unauthorized input before it is passed to the SQL query provides way to enter surnames such as "O'Brian" or "D'Arcy“ (avoiding injection) user may want to enter numbers in an application, sometimes leads to security breach. It is therefore required that the input from the user is checked and validated to determine that it really is a number, and in the valid range.

12 Conclusion With security threats increasing day by day, it’s high time to focus on these threats and ways and methods to prevent them

13 Thank you Kanupriya Batra, Manisha Sharma

Download ppt "Database System Implementation CSE 507"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Understand Database Security Concepts

Understand Database Security Concepts
Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,

Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection Yuji Kosuga, Kenji Kono, Miyuki Hanaoka Keio University Miho Hishiyama,
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.

SQL Injection Attacks Prof. Jim Whitehead CMPS 183: Spring 2006 May 17, 2006.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.

Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.

SQL Injection Attacks CS 183 : Hypermedia and the Web UC Santa Cruz.
Oracle PL/SQL Injection David Litchfield. What is PL/SQL? Procedural Language / Structured Query Language Oracle’s extension to standard SQL Programmable.

Oracle PL/SQL Injection David Litchfield. What is PL/SQL? Procedural Language / Structured Query Language Oracle’s extension to standard SQL Programmable.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
CSCI 6962: Server-side Design and Programming JDBC Database Programming.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.

Preventing SQL Injection Attacks in Stored Procedures Alex Hertz Chris Daiello CAP6135Dr. Cliff Zou University of Central Florida March 19, 2009.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.

AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Attacking Applications: SQL Injection & Buffer Overflows.

Attacking Applications: SQL Injection & Buffer Overflows.

Similar presentations

Ads by Google