Sciweavers

Share
ACNS
2004
Springer

SQLrand: Preventing SQL Injection Attacks

11 years 6 months ago
SQLrand: Preventing SQL Injection Attacks
We present a practical protection mechanism against SQL injection attacks. Such attacks target databases that are accessible through a web frontend, and take advantage of flaws in the input validation logic of Web components such as CGI scripts. We apply the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker. Queries injected by the attacker will be caught and terminated by the database parser. We show how to use this technique with the MySQL database using an intermediary proxy that translates the random SQL to its standard language. Our mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems.
Stephen W. Boyd, Angelos D. Keromytis
Added 30 Jun 2010
Updated 30 Jun 2010
Type Conference
Year 2004
Where ACNS
Authors Stephen W. Boyd, Angelos D. Keromytis
Comments (0)
books