Detecting Data Leaks Using SQL Injection

Jaya Srivastava, Priyal Agrahari, Pramiti Sirothia, Kartikeya Mishra ,Om Pravin Singh
Information Technology
ABES Engineering College
Email: jaya.srivastava@abes.ac.in,priyal.20b0131056@abes.ac.in,
pramiti.20b0131114@abec.ac.in, kartikeya.20b0131118@abes.ac.in,
om.20b0131119@abes.ac.in,
Abstract— SQL injection attacks are a serious security threat. These practices serve as a line of defence,
risk as they have increased in frequency and severity over ensuring that user inputs are thoroughly scrutinized
time. These attacks target an application's database layer
explicitly. When user input into SQL statements is not and sanitized before interacting with the database,
sufficiently screened for string literal escape characters, a thus reducing the likelihood of successful SQL
vulnerability occurs. In essence, attackers use this flaw to injection attacks.
change the SQL queries that the database runs.
Further increasing the danger is weak typing by the In today's interconnected digital landscape, where
user, which might result in the unintentional execution of
malicious code. This implies that it will be simpler for data is the lifeblood of countless applications and
attackers to carry out malicious orders if the program services, the security and integrity of databases are
does not enforce tight data types for user input. of paramount importance. Cyber threats,
SQL injection is still a widely used attack method in particularly SQL injection attacks, pose a persistent
application layer assaults nowadays. The aforementioned and severe risk to the confidentiality and reliability
project's goal is to put SQL injection prevention
mechanisms in place as a reaction to this persistent of sensitive information stored in database .By
danger. By making sure that inserted queries do not undertaking this project, our aim is to develop
jeopardize the integrity of the system, the project seeks robust and intelligent mechanisms for identifying
to safeguard the database. This entails putting in place and preventing data leaks through SQL injection
strong input validation and filtering procedures to attacks. We envision a comprehensive solution that
counteract the risk of malicious SQL injection attacks and
improve the software system's overall security. goes beyond conventional security measures,
utilizing advanced detection algorithms, machine
I. INTRODUCTION learning techniques, and real-time monitoring to
SQL injection stands out as a particularly serious swiftly identify and thwart potential breaches. The
threat to the security and stability of your significance of this project lies not only in its
database. It is a sophisticated method of attack potential to protect sensitive data but also in
wherein malicious code is strategically injected into contributing to the broader cybersecurity
SQL statements, leading to potentially disastrous landscape. As we enhance our understanding of
consequences. This technique has gained notoriety SQL injection vulnerabilities and develop effective
for its prevalence and effectiveness, making it a countermeasures, we aim to empower developers,
common weapon in the arsenal of web hackers. At businesses, and organizations to build and maintain
its core, SQL injection exploits vulnerabilities in the more secure web applications. Ultimately, the
way web applications handle user input, motivation behind "Detecting Data Leaks Using SQL
particularly when soliciting information like Injection" is to create a proactive defense system
usernames or user IDs. The repercussions of a that anticipates and neutralizes SQL injection
successful SQL injection attack are substantial. threats, thereby fortifying the digital infrastructure
Attackers can manipulate, extract, or even delete upon which our modern society relies.
critical data within the database, potentially
compromising the integrity and confidentiality of II. LITERATURE REVIEW
sensitive information. This not only jeopardizes the OWASP TOP Project:
functionality of the affected web application but The Open Web Application Security Project
also exposes users and organizations to significant (OWASP) has been a leading advocate for
risks. Mitigating the risk of SQL injection demands promoting best practices in securing web
robust security measures. Implementing thorough applications. The OWASP TOP Project, specifically
input validation, adopting parameterized queries, addressing SQL Injection, serves as a fundamental
and utilizing prepared statements are crucial steps resource for understanding and mitigating
in fortifying web applications against this pervasive vulnerabilities related to SQL injection. This
comprehensive guide offers insights into the latest algorithms play in bolstering online application
threats, preventive measures, and industry security.
standards, significantly contributing to the
collective knowledge in the field. Web Application Security Assessment by Fault
Injection and Behaviour Monitoring:
Protection of Personal Data in Information Systems: A approach for evaluating the security of online
Bojken et al. (2013) delve into the critical aspect of applications is presented by Huang et al. (2003),
safeguarding personal data within information which combines behavior monitoring with fault
systems [2]. The study emphasizes the necessity for injection [6]. By mimicking actual attack scenarios,
robust security measures to protect sensitive this method offers a proactive way to find
information, shedding light on the importance of vulnerabilities, especially SQL injection-related
addressing vulnerabilities like SQL injection. This ones. The study highlights the value of behavior
work provides valuable insights into the broader monitoring as an additional tactic to traditional
context of information security and underscores preventative methods.
the significance of preventing SQL injection for
protecting personal data. III. PROPOSED MODEL
The procedure begins with the collection of
Web Security Vulnerabilities from the Programming
relevant data, in which critical aspects are found for
Language Perspective:
further examination. The data is formatted and
By looking at online security flaws from the
arranged to conform to the intended structure once
perspective of programming languages, Seixas et al.
it is gathered. Next, the prepared data is divided
(2009) offer a distinctive viewpoint [3]. Through an
into training and testing sets. The process of
examination of the connection between online
training a model is aided by the training data, which
security and programming languages, the research
serves as input for several algorithms. The model's
expands our knowledge of the variables affecting
performance is then assessed by comparing its
the frequency of vulnerabilities such as SQL
accuracy to independent data, which provides
injection. This study adds to the current
information on how well it can generalize and
conversation about web application security by
forecast on previously untested data. Key modules,
taking the programming language aspect into
namely data collection, data preparation, model
account.
selection, model training, model assessment, and
predictions, are implemented to build the overall
SQLIA: Detection and Prevention Techniques - A
system. Each module has a specific function.
Survey:
Throughout the workflow, this methodical
A thorough analysis of SQL Injection Attacks (SQLIA)
methodology guarantees effective data analysis,
is carried out by Yane and Chaudhari (2013), with
model training, and predictive capabilities.
an emphasis on methods for detection and
Python is the most popular programming
prevention [4]. The survey synthesizes current
language in the field of machine learning and data
understanding and highlights patterns in the
analysis, mostly because of its many libraries and
dynamic field of SQL injection protection. For
frameworks created specifically for these uses.
scholars and practitioners looking for a
Important libraries like scikit-learn, NumPy, and
comprehensive understanding of several methods
others contribute much to Python's supremacy in
for identifying and preventing SQL injection, this
the area and sustain its prominence.
study is a great resource.
Python uses useful tools in data gathering and
preparation to make these important tasks go more
Parse Tree Validation to Prevent SQL Injection
quickly. For example, pandas is a flexible and
Attacks:
essential tool for preprocessing and data
A novel method of preventing SQL injection
manipulation that helps practitioners handle, clean,
attacks is suggested by Buehrer et al. (2005) and
and arrange information effectively, laying the
involves the use of parse tree validation [5]. The
groundwork for further analytical work.
technique seeks to detect and stop malicious
Another crucial element, NumPy, provides strong
injections by evaluating the parse tree structure of
support for numerical operations on matrices and
SQL queries. This study offers a fresh viewpoint on
arrays. This feature improves the speed of
the variety of methods available to protect against
calculations and manipulations involving huge
SQL injection, emphasizing the role that parsing
datasets and is essential for managing the We have used well known Python libraries like
mathematical complexities included in machine Scikit-Learn for data preprocessing, feature
learning algorithms. selection, and model evaluation.
Furthermore, because it provides practitioners We have used various machine learning algorithm
with a wide range of tools for feature selection, to test the accuracy of all the algorithm and did a
data preparation, and model validation, the scikit- comparative study.
learn package is crucial to the workflow of data
science. Scikit-learn makes it simple for users to A. Decision tree
prepare data, locate relevant features, and assess
A decision tree is a commonly used machine
the performance of machine learning models,
learning algorithm applicable to both classification
significantly enhancing the overall efficacy of the
and regression tasks. The model is structured like
analytical process.In summary, Python's strong
a tree, where an internal node represents a
ecosystem of libraries and frameworks highlights
feature or attribute, the branches depict decision
the language's supremacy in machine learning and
rules, and each leaf node indicates the outcome
data analysis. In this ecosystem, scikit-learn,
or target variable. Valued for their simplicity and
Pandas, and NumPy stand out as essential
interpretability, decision trees are advantageous
resources that when combined enable practitioners
for individuals at various expertise levels in the
to handle the complex terrain of data manipulation,
field of machine learning.
preprocessing, and model assessment with
In the context of decision trees, they are
unmatched variety and efficiency.
visualized as tree structures where each internal
node represents a feature, each branch
IV. METHODOLOGY represents a decision rule, and each leaf node
represents a prediction. The process involves
Machine Learning iteratively dividing the data into progressively
smaller subsets based on the values of the
Within the field of artificial intelligence, machine features. At each node, the algorithm selects the
learning focuses on creating models and algorithms feature that best divides the data into groups with
that allow computers to learn and make judgments distinct target values.
without the need for specific programming. This
dynamic area includes several methods, such as B. Support Vector Classifier
unsupervised learning, which investigates data
patterns without labels, and supervised learning, in Support vector machine classifiers, or SVM
which algorithms are taught on labelled datasets. classifiers for short, are adaptable machine
Semi-supervised learning incorporates aspects of learning algorithms designed for data analysis and
both labeled and unlabelled data for training, classification. It functions as a supervised learning
whereas reinforcement learning trains models to method and is applicable to problems involving
make sequential decisions through interaction with regression and classification. Finding a hyperplane
an environment. Using multi-layered neural that maximizes the margin between distinct
networks, deep learning is a prominent branch of classes is the core idea of the Support Vector
machine learning that excels at tasks like voice and Machine (SVM) classifier, often known as a max-
picture recognition. Machine learning has margin classifier.
applications in a wide range of fields, including
banking, healthcare, computer vision, natural SVM is widely used in a variety of applications,
language processing, and driverless cars. Machine including text classification, face expression
learning depends on both the volume and quality of analysis, and handwritten digit recognition. Its
training data to be effective, and as technology efficacy has been widely acknowledged. Some of
develops, machine learning keeps growing and its benefits are its ability to handle enormous
finding new uses in a variety of sectors. datasets with ease and its tolerance to noise.

V. IMPLEMENTATION
Our data analytics application’s backend has been
carefully developed with Python Our utilization of
the Python library Pandas has allowed for the
implementation of strong analytics for sales data.
SVM is noteworthy for its capacity to handle non- 6. Difficulties: Determining the proper context
linear problems, which is achieved by utilizing window for taking into account previous
kernel functions. For example, the popular RBF observations and vanishing or inflating gradients
(radial basis function) kernel makes it easier to in deep learning models are two difficulties in
transfer data points into a higher-dimensional modelling sequential dependencies.
7. Online Learning: Sequential regression
space so that they may be separated linearly. After
models work well in situations where fresh data is
this transformation, SVM searches the new space
constantly being added to the model, such as in
for the best hyperplane to precisely categorize data educational websites.
points into the appropriate classes. SVM is widely 8. Evaluation: Measures such as Mean Squared
used in many machine learning applications due in Error (MSE) for continuous predictions or accuracy
part to its capacity to handle non-linear problem for classification tasks may be included in the
domains. assessment metrics for sequential regression
C. Logistic Regression tasks.l
D. Sequential Regression
A predictive model is created using sequential
regression, a statistical modeling or machine One popular machine learning method in the field
learning technique, to predict results for a series of supervised learning is logistic regression. Its
of dependent variables. It basically involves primary goal is to use a given collection of
making predictions about a sequence of events independent factors to predict the value of a
that will occur over time or in a certain order. categorical dependent variable. Instead of
Key concepts of sequential regression to producing definite values like 0 or 1, Yes or No, or
understand are as follows: true or false, the algorithm generates outcomes in
1. Time Dependency: Sequential regression the form of probability values ranging from 0 to 1,
relies heavily on the timing and sequence of data. which are then used to forecast the outcome of a
Based on past data, the model takes into account categorical dependent variable. Unlike linear
the temporal sequence of occurrences and tries regression, which is used to solve regression
to estimate the value that will occur next. problems, logistic regression is designed to solve
2. Variable Dependency: In sequential classification difficulties. Logistic regression uses a
regression, predictions are based on the values of "S"-shaped logistic function to predict values of 0 or
the preceding observations in the series. The 1, as opposed to fitting a regression line.
dependencies and correlations between the The implementation of all these machine learning
variables in the sequence are considered by the algorithms is done in following steps:
model.  Importing essential libraries
3. Applications: In time series analysis, when When working with Python for data analysis and
the objective is to forecast future values in a time- machine learning tasks, it is imperative to import
ordered sequence, sequential regression is essential packages to harness their functionalities.
frequently used. It is used in many different fields,
To do so, the common practice is to use the
including natural language processing,
meteorological forecasting, finance (stock pricing), Python package manager, pip. In this specific
and sentence prediction. scenario, the installation of three crucial packages
4. Recurrent Neural Networks (RNNs): For —Pandas, NumPy, and Scikit-learn—is necessary
sequential regression problems, recurrent neural to facilitate various aspects of data manipulation,
networks (RNNs) are widely employed in deep numerical operations, and machine learning
learning. RNNs preserve hidden states in model development.
sequential data in order to extract knowledge
 Decision tree implementation
from earlier stages.
5. Autoregressive Models: Autoregressive After applying the decision tree model, we
models are a type of traditional statistical models get an accuracy of 81.47% ,which is a good
for sequential regression in which the current fitted result.
value in the series is represented as a linear  Support vector classifier
mixture of earlier values. In time series analysis,
On applying this algorithm, we get an
autoregressive Integrated Moving Average
(ARIMA) models are one type of. accuracy of
 99.48% .This gives an overfitted result. [5] Raghav Kukreja , Nitin Garg 2014.
 Logistic Regression OVERVIEW OF SQL INJECTION
On applying the Logistic regression we ATTACK international journal of
get an accuracy of 99.3 which also an innovative research in technology Volume
1 Issue 5.
overfit.
[6]Cheon, Eun Hong, Zhongyue Huang,
 Sequential regression and Yon Sik Lee(2013). "Preventing SQL
This algorithm gives an accuracy of Injection Attack Based on Machine
62.95% which is gives an underfit result Learning." International Journal of
Advancements in Computing Technology
After testing all the algorithms ,we can 5.9
conclude that the
Decision tree is the best fitted algorithm for this [7] Joshi, Anamika, and V. Geetha.( 2014 )
project. "SQL Injection detection using machine
learning." Control, Instrumentation,
VII. CONCLUSIONS
Communication and Computational
Technologies (ICCICCT), International
The primary objective is to develop an
intelligent and adaptive system that not only
Conference on. IEEE, 2014.
identifies and neutralizes SQL injection attempts
but also proactively strengthens the overall
security of web databases. Building upon the
principles outlined in the OWASP TOP Project, this
research aims to enhance existing methodologies
by integrating advanced anomaly detection,
dynamic query sanitization, and behavioral
monitoring techniques. By doing so, the research
seeks to address the limitations of current
prevention strategies, such as adaptability to
evolving attack vectors and the potential trade-off
between security and system performance.

REFERENCE
[1] Visit`
https://wikipedia.org/wiki/Big_data`

[2] Zhendong Su and Gary Wassermann, in

[3]SQL Injection Detection Methods :Qi

[4] SQL Injection Detection Using