research-article

A Survey on SQL Injection Attacks, Detection and Prevention

Authors:

Yanpeng CuiAuthors Info & Claims

ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and Computing

Pages 483 - 488

https://doi.org/10.1145/3383972.3384028

Published: 26 May 2020 Publication History

Abstract

Since the uses of Web in daily life is increasing in past 20 years and becoming trend now, almost every Web application has its own database to store important data. An attacker can get or even modify the data from database through SQL injection vulnerability, so it is one of the most serious problems in Web application security. In this paper, we present a detailed review on various types of SQL injection attacks and detection techniques based on machine learning. we also propose future expectations and possible development of countermeasures against SQL injection vulnerability at the end of the article.

References

[1]

J. Abirami, R. Devakunchari and C. Valliyammai, "A top web security vulnerability SQL injection attack --- Survey," 2015 Seventh International Conference on Advanced Computing (ICoAC), Chennai, 2015, pp. 1--9.

[2]

N. Singh, M. Dayal, R. S. Raw and S. Kumar, "SQL injection: Types, methodology, attack queries and prevention," 2016 3rd International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, 2016, pp. 2872--2876.

[3]

R. Johari and P. Sharma, "A Survey on Web Application Vulnerabilities (SQLIA, XSS) Exploitation and Security Engine for SQL Injection," 2012 International Conference on Communication Systems and Network Technologies, Rajkot, 2012, pp. 453--458.

[4]

D. A. Kindy and A. S. K. Pathan, "A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques," 2011 IEEE 15th International Symposium on Consumer Electronics (ISCE), Singapore, 2011, pp. 468--471.

[5]

S. W. Boyd and A. D. Keromytis. SQLrand: Preventing SQL Injection Attacks. In Proceedings of the 2nd Applied Cryptography and Network Security Conference, pages 292--302, June 2004.

[6]

M. Junjin, "An Approach for SQL Injection Vulnerability Detection," Proc. of the 6th Int. Conf. on Information Technology: New Generations, Las Vegas, Nevada, pp. 1411--1414, April 2009.

[7]

P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. CANDID: Dynamic Candidate Evaluations for Automatic Prevention of SQL Injection Attacks. ACM Trans. Inf. Syst. Secur., 13(2): 1--39, 2010.

Digital Library

[8]

Anitha V., Supha Lakshmi A., Revathi M. and Selvi K., "Detecting various SQL Injection vulnerabilities using String Matching and LCS method," 2014 Sixth International Conference on Advanced Computing (ICoAC), Chennai, 2014, pp. 237--241.

[9]

A. Joshi and V. Geetha, "SQL Injection detection using machine learning," 2014 International Conference on Control, Instrumentation, Communication and Computational Technologies (ICCICCT), Kanyakumari, 2014, pp. 1111--1115.

[10]

Z. Xiao, Z. Zhou, W. Yang and C. Deng, "An approach for SQL injection detection based on behavior and response analysis," 2017 IEEE 9th International Conference on Communication Software and Networks (ICCSN), Guangzhou, 2017, pp. 1437--1442.

[11]

Xie X, Ren C, Fu Y, et al. SQL Injection Detection for Web Applications Based on Elastic-Pooling CNN[J]. IEEE Access, 2019, 7: 151475--151481.

[12]

Li Q, Li W, Wang J, et al. A SQL Injection Detection Method Based on Adaptive Deep Forest[J]. IEEE Access, 2019, 7: 145385--145394.

[13]

Luo A, Huang W, Fan W. A CNN-based Approach to the Detection of SQL Injection Attacks[C]//2019 IEEE/ACIS 18th International Conference on Computer and Information Science (ICIS). IEEE, 2019: 320--324.

[14]

Li Q, Wang F, Wang J, et al. LSTM-Based SQL Injection Detection Method for Intelligent Transportation System[J]. IEEE Transactions on Vehicular Technology, 2019, 68(5): 4182--4191.

[15]

P. Kumar and R. K. Pateriya, "A survey on SQL injection attacks, detection and prevention techniques," Computing Communication & Networking Technologies (ICCCNT), 2012 Third International Conference on, Coimbatore, 2012, pp. 1--5.

[16]

Hasan J, Zeki A M, Alharam A, et al. Evaluation of SQL Injection Prevention Methods[C]//2019 8th International Conference on Modeling Simulation and Applied Optimization (ICMSAO). IEEE, 2019: 1--6.

[17]

L. K. Shar and H. B. K. Tan, "Defeating SQL Injection," in Computer, vol. 46, no. 3, pp. 69--77, March 2013.

Digital Library

[18]

Li Qian, Zhenyuan Zhu, Jun Hu and Shuying Liu, "Research of SQL injection attack and prevention technology," 2015 International Conference on Estimation, Detection and Information Fusion (ICEDIF), Harbin, 2015, pp. 303--306.

Cited By

M VA MA PIswarya MSubramanian K(2024)Continuous Monitoring of Web Server Assaults Using Machine Learning2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE)10.1109/ic-ETITE58242.2024.10493548(1-5)Online publication date: 22-Feb-2024
https://doi.org/10.1109/ic-ETITE58242.2024.10493548
Noman HAbu-Sharkh O(2023)Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical ImplementationsSensors10.3390/s2313606723:13(6067)Online publication date: 30-Jun-2023
https://doi.org/10.3390/s23136067
Purwanto YRuriawan MAlamsyah AWijaya FHusna DKridanto ANugroho FFakhrudin AItqon MFebrianta MWidiyanesti SMentari FGozali ARomadhony A(2023)Security Architecture for Secure Train Control and Monitoring SystemSensors10.3390/s2303134123:3(1341)Online publication date: 25-Jan-2023
https://doi.org/10.3390/s23031341
Show More Cited By

Index Terms

A Survey on SQL Injection Attacks, Detection and Prevention
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems
  2. Software and application security
    1. Web application security

Recommendations

Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Model based hybrid approach to prevent SQL injection attacks in PHP
InfoSecHiComNet'11: Proceedings of the First international conference on Security aspects in information technology

SQL Injection vulnerability is ranked 1st in the OWASP1 top 10 vulnerability list and has resulted in massive attacks on a number of websites in the past few years. Inspite of preventive measures like educating developers about safe coding practices, ...
Information-Theoretic Detection of SQL Injection Attacks
HASE '12: Proceedings of the 2012 IEEE 14th International Symposium on High-Assurance Systems Engineering

SQL Injection (SQLI) is a wide spread vulnerability commonly found in web-based programs. Exploitations of SQL injection vulnerabilities lead to harmful consequences such as authentication bypassing and leakage of sensitive personal information. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICMLC '20: Proceedings of the 2020 12th International Conference on Machine Learning and Computing

February 2020

607 pages

ISBN:9781450376426

DOI:10.1145/3383972

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

Shenzhen University: Shenzhen University

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 May 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICMLC 2020

ICMLC 2020: 2020 12th International Conference on Machine Learning and Computing

February 15 - 17, 2020

Shenzhen, China

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

13
Total Citations
View Citations
955
Total Downloads

Downloads (Last 12 months)119
Downloads (Last 6 weeks)5

Reflects downloads up to 31 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

M VA MA PIswarya MSubramanian K(2024)Continuous Monitoring of Web Server Assaults Using Machine Learning2024 Second International Conference on Emerging Trends in Information Technology and Engineering (ICETITE)10.1109/ic-ETITE58242.2024.10493548(1-5)Online publication date: 22-Feb-2024
https://doi.org/10.1109/ic-ETITE58242.2024.10493548
Noman HAbu-Sharkh O(2023)Code Injection Attacks in Wireless-Based Internet of Things (IoT): A Comprehensive Review and Practical ImplementationsSensors10.3390/s2313606723:13(6067)Online publication date: 30-Jun-2023
https://doi.org/10.3390/s23136067
Purwanto YRuriawan MAlamsyah AWijaya FHusna DKridanto ANugroho FFakhrudin AItqon MFebrianta MWidiyanesti SMentari FGozali ARomadhony A(2023)Security Architecture for Secure Train Control and Monitoring SystemSensors10.3390/s2303134123:3(1341)Online publication date: 25-Jan-2023
https://doi.org/10.3390/s23031341
Gupta ATyagi LMohamed A(2023)A Machine Learning Methodology for Detecting SQL Injection Attacks2023 3rd International Conference on Technological Advancements in Computational Sciences (ICTACS)10.1109/ICTACS59847.2023.10390153(184-191)Online publication date: 1-Nov-2023
https://doi.org/10.1109/ICTACS59847.2023.10390153
Hsiao WWang C(2023)Detection of SQL Injection and Cross-Site Scripting Based on Multi-Model CNN Combined with Bidirectional GRU and Multi-Head Self-Attention2023 5th International Conference on Computer Communication and the Internet (ICCCI)10.1109/ICCCI59363.2023.10210155(142-150)Online publication date: 23-Jun-2023
https://doi.org/10.1109/ICCCI59363.2023.10210155
Demilie WDeriba F(2022)Detection and prevention of SQLI attacks and developing compressive framework using machine learning and hybrid techniquesJournal of Big Data10.1186/s40537-022-00678-09:1Online publication date: 30-Dec-2022
https://doi.org/10.1186/s40537-022-00678-0
Biringa CKul G(2022)A Secure Design Pattern Approach Toward Tackling Lateral-Injection Attacks2022 15th International Conference on Security of Information and Networks (SIN)10.1109/SIN56466.2022.9970499(01-04)Online publication date: 11-Nov-2022
https://doi.org/10.1109/SIN56466.2022.9970499
Abdulhamza FAl-Janabi R(2022)SQL Injection Detection Using 2D-Convolutional Neural Networks (2D-CNN)2022 International Conference on Data Science and Intelligent Computing (ICDSIC)10.1109/ICDSIC56987.2022.10075777(212-217)Online publication date: 1-Nov-2022
https://doi.org/10.1109/ICDSIC56987.2022.10075777
Zheng JLi JLi CLi R(2022)A SQL Blind Injection Method Based on Gated Recurrent Neural Network2022 7th IEEE International Conference on Data Science in Cyberspace (DSC)10.1109/DSC55868.2022.00078(519-525)Online publication date: Jul-2022
https://doi.org/10.1109/DSC55868.2022.00078
Singh KMahajan AMansotra V(2022)Deep Learning Approach Based on ADASYN for Detection of Web Attacks in the CICIDS2017 DatasetRising Threats in Expert Applications and Solutions10.1007/978-981-19-1122-4_7(53-62)Online publication date: 4-Jul-2022
https://doi.org/10.1007/978-981-19-1122-4_7
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten