06-05-2011, 09:46 AM
Abstract
Web application has been developed with very rapid progress. Web applications use
database at backend for storing data and SQL for insertion and retrieval of data. There are
some malicious attacks which can deceive this SQL. These attacks are called SQL
injection. To stop SQL injection many techniques have been proposed but they require
large code modification and/or large extra time overhead. The work of this paper proposes
a technique using hash values of user name and password, to improve the authentication
process. We had built a prototype, SQL Injection Protector for Authentication (SQLIPA),
for the evaluation of idea.
Keywords: Database security, SQL injection, Authentication
1. Introduction
In Today’s world of ubiquities computing every person remains connected to the internet. In these
situations the web security is very necessary and it is a challenging part of the web applications(A.
Kiezun and Ernst 2009). A number of techniques are in use for securing the web applications. The
most common way is the authentication process through the username and password. One of the major
problems in the authentication process is the input validation checking (Boyd and Keromytis 2004; K.
Wei and Kothari 2006; R. Ezumalai 2009). There are some major threads in web application security
for example SQL injection and Buffer overflow which can break the web application security (Geer
2008).
SQLIPA: An Authentication Mechanism Against SQL Injection 605
SQL injection is too much vulnerable that it can bypass many traditional security layers like
Firewall, encryption, and traditional intrusion detection systems(R. Ezumalai 2009). It can also bypass
the database mechanisms of authentication and authorization (A. Kamra and Guy 2008)
SQL injection can not only be used for violating the security by seeing the private data of the
people but also can be used for bypassing the authentication of user which is a big flaw in the web
applications.
Major problem in the web applications vulnerabilities is the SQL injection. It is to be
considered that SQL injection is an easy attack and every developer can easily do the SQL injection
which is the most worrying aspect of the SQL injection (R. Ezumalai 2009).
Login page is the most complicated web application which allows users to enter into the
database after authenticating him. In this page, the user provides his identity like username and
password. There might be some invalid input validations which can bypass the authentication process
using some mechanism like SQL injection (Palmer 2007).
Normally, web applications is a three tier architecture, the Application tier at the user side,
Middle tier which converts the user queries into the SQL format, and the backend database server
which stores the user data as well as the user’s authentication table. Whenever a user wants to enter
into the web database through application tier, the user inputs his/her authentication information from a
login form as shown in figure 1.
Download full report
http://eurojournalsejsr_38_4_11.pdf
