An SQL injection attack targets interactive web applications that employ database services. Such applications accept user input, such as form fields, and then include this input in database requests, typically SQL statements. In SQL injection, the attacker provides user input that results in a different database request than was intended by the application programmer. That is, the interpretation of the user input as part of a larger SQL statement, results in an SQL statement of a different form than originally intended. We describe a technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities. The technique is based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input. Our solution is efficient, adding about 3 ms overhead to database query costs. In addition, it is easily adopted by application programmers, having the same syntactic structure as current popular record set retrieval methods. For empirical analysis, we provide a case study of our solution in J2EE. We implement our solution in a simple static Java class, and show its effectiveness and scalability.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	S. W. Boyd and A. D. Keromytis. SQLRand: Preventing SQL injection attacks. In Proceedings of the 2nd Applied Cryptography and Network Security (ACNS) Conference, pages 292--302. Springer-Verlag, June 2004.
	2	Claus Brabrand , Anders Møller , Mikkel Ricky , Michael I. Schwartzbach, PowerForms: Declarative client-side form field validation, World Wide Web, v.3 n.4, p.205-214, December 2000  [doi>10.1023/A:1018772405468 ]
	3	C. Anley. Advanced SQL injection in SQL server applications. In http:/www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002.
	4	A. Christensen, A. Moeller, and M. Schwartzbach. Precise analysis of string expressions. In Proceedings of the 10th International Static Analysis Symposium, pages 1--18. Springer-Verlag, August 2003 2003.
	5	C. Cowan, S. Beattie, J. Johansen, and P. Wagle, PointGuard: Protecting pointers from buffer overflow vulnerabilities. In Proceedings of the 12th USENIX Security Symposium, pages 91--104, August 2003.
	6	C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang. Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In Proceedings of the 7th USENIX Security Symposium, pages 63--78, January 1998.
	7	P.-Y. Gibello. Zql: A java sql parser. In http://www.experlog.com/gibello/zql/, 2002.
	8	Carl Gould , Zhendong Su , Premkumar Devanbu, JDBC Checker: A Static Analysis Tool for SQL/JDBC Applications, Proceedings of the 26th International Conference on Software Engineering, p.697-698, May 23-28, 2004
	9	Carl Gould , Zhendong Su , Premkumar Devanbu, Static Checking of Dynamically Generated Queries in Database Applications, Proceedings of the 26th International Conference on Software Engineering, p.645-654, May 23-28, 2004
	10	William G. J. Halfond , Alessandro Orso, Combining static analysis and runtime monitoring to counter SQL-injection attacks, Proceedings of the third international workshop on Dynamic analysis, p.1-7, May 17-17, 2005, St. Louis, Missouri
	11	Yao-Wen Huang , Shih-Kun Huang , Tsung-Po Lin , Chung-Hung Tsai, Web application security assessment by fault injection and behavior monitoring, Proceedings of the 12th international conference on World Wide Web, May 20-24, 2003, Budapest, Hungary  [doi>10.1145/775152.775174]
	12	Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA  [doi>10.1145/988672.988679]
	13	Gaurav S. Kc , Angelos D. Keromytis , Vassilis Prevelakis, Countering code-injection attacks with instruction-set randomization, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948146]
	14	D. Litchfield. Web application disassembly with ODBC error messages. In http://www.nextgenss.com/papers/webappdis.doc.
	15	P. Litwin. Stop SQL injection attacks before they stop you. In http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx, 2004.
	16	O. Maor and A. Shulman. SQL injection signatures evasion. In http://www.imperva.com/application_defense_center/white_papers/sql_injection_signature_evasion.html, 2004.
	17	S. McDonald. SQL injection: Modes of attack, defense, and why it matters. In http://www.governmentsecurity.org/articles/SQLInjectionModesofAttackDefenseandWhyItMatters.php, 2005.
	18	R. McMillan. Web security flaw settlement: FTC charges that Petco web site left customer data exposed. In http://www.pcworld.com/news/article/0,aid,118638,00.asp, 2004.
	19	A. Nguyen-Tuong, S. Guarnieri, D. Green, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Proceedings of IFIP Security 2005. Springer, May 2005.
	20	J. Offutt and W. Xu. Generating test cases for web services using data perturbation. In Proceedings of the 2004 Workshop on Testing, Analysis and Verification of Web Services (TAV-WEB), pages 1--10. ACM Press, July 2004.
	21	W. Security. Challenges of automated web application scanning. In http://greatguards.com/docs/insightweb.htm, 2003.
	22	K. Spett. SQL injection: Are your web applications vulnerable? In SPI Labs White Paper, 2004.
	23	G. Wasserman and Z. Su. An analysis framework for security in web applications. In Proceedings of the FSE Workshop on Specification and Verification of Component-Based Systems (SAVCBS 2004), pages 70--78, October 2004.