SQLrand: Preventing SQL Injection Attacks

14 years 6 months ago

Download www1.cs.columbia.edu

We present a practical protection mechanism against SQL injection attacks. Such attacks target databases that are accessible through a web frontend, and take advantage of ﬂaws in the input validation logic of Web components such as CGI scripts. We apply the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker. Queries injected by the attacker will be caught and terminated by the database parser. We show how to use this technique with the MySQL database using an intermediary proxy that translates the random SQL to its standard language. Our mechanism imposes negligible performance overhead to query processing and can be easily retroﬁtted to existing systems.

Stephen W. Boyd, Angelos D. Keromytis

Real-time Traffic

ACNS 2004 | Attacks Target Databases | Cryptography | Practical Protection Mechanism | SQL Injection Attacks |

claim paper

Post Info
More Details (n/a)

Added	30 Jun 2010
Updated	30 Jun 2010
Type	Conference
Year	2004
Where	ACNS
Authors	Stephen W. Boyd, Angelos D. Keromytis

Comments (0)

Sciweavers

SQLrand: Preventing SQL Injection Attacks

ACNS 2004 | Attacks Target Databases | Cryptography | Practical Protection Mechanism | SQL Injection Attacks |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers