2016 2nd IEEE International Conference on Computer and Communications

Research and Implementation of SQL Injection Prevention Method Based on ISR

Chen Ping, Wang Jinshuang, Pan Lin, Yu Han

College of Command Information Systems
PLA University of Science and Technology
Nanjing, China
e-mail: [email protected]@[email protected]@163.com

Abstract-SQL injection is a major thread to the security of

WEB applications. The paper analyzes the weakness of the II. RESEARCH ON THE EXISTING DEFENSE SOLUTIONS OF
current solutions to prevent it. It presents a method of SQL INJECTION ATTACK
preventing SQL injection attacks by ISR (Instruction Set
Randomization) and introduces a prototype system based on A. The Principle ofSQL Injection
the method. The system first randomizes the SQL keywords by
Attackers submit special SQL statements to the web
appending a random integer, then the randomized SQL
application through the input area of web form or page
statement are transmitted to a DBMS proxy, the proxy can
request query string, because almost all web applications
find and prevent the SQL injection attack by analysising the
connect with a back-end database, so these malicious SQL
syntax, finally the DBMS proxy translates the randomized
SQL to the standard SQL statement and send it to DBMS.
statements submitted by attackers are inserted into the
Experimental results show that this system can effectly prevent
system which will be executed by DBMS. Below is a code
SQL injection attack and has low processing cost. fragment that has a SQL injection vulnerability:
SQLQuery="SELECT * FROM Users WHERE
Keywords-SQL injection attack; ISR (Instruction Set UserName = '" + strUserName + ' AND Password = '''+
"

Randomization); DBMS proxy; randomize

strPassword + "'"
If GetQueryResult (SQLQuery) = 0 Then
I. INTRODUCTION bAuthenticated = false
With the advent of the WEB2.0 and the rapid Else
development of the application of the B/S model, a large bAuthenticated = true
number of WEB applications are being used. Due to the level This code above is for user login authentication, if the
and experience of the programmer are varied, many WEB user name serUserName and password strPassword which
applications do not properly sanitize user's inputs, an user input match an item in the table of Users, the user
attacker can carefully craft inputs to inject SQL statements certification is success, either it is failure. For example, if
that can potentially allow him to access or corrupt database strUserName is Smith, strPassword is 123456, SQL query
(DB) data, modify DB structures, etc., in 2013, the SQL string SQLQuery = "select * from users where username
injection attack rank fust in OWASP (Web Application ='Smith' and password ='123456''', if the attacker's input
Security Project Open) Top 10. strUserName=' or '1'='1', then SQL query string SQLQuery=
This paper analyzes the principle of SQL injection attack "select * from users where the username = " or '1' ='1' and
and proposes a SQL injection defense method based on Password=", we can see that the query conditions are always
ISR(Instruction Set Randomization) [1], and establishes a true, that is, there are some records as the results of the query,
prototype system based on this method. The system fust so the user certification is success, which contrary to the
randomizes the SQL keywords by appending a random original intention of the program.
integer, then the randomized SQL statement are transmitted The attacker did not enter the correct user name and
to a DBMS proxy, the main function of proxy is analyzing password and can still login the system, the attacker exploit
the syntax of SQL to find and prevent the SQL injection the system by SQL injection through the careful construction
attack, and translating the randomized SQL to the standard of the special SQL statements. The web application build on
SQL statement. Because the attacker does not know the key the technology of Active/java server pages, ASP, PHP, Perl
of the randomized algorithm, so the standard SQL statement and SQL server, Mysql, Oracle, DB2, Sybase, etc. are likely
injected by the attacker can be easily detected. The defense to have this vulnerability. Because some database servers
system lies in between the web server and database, it is provide powerful access to the command line shell and
transparent to the web application and database, so there is registry functions, the attacker can not only query, modify,
no need to modify existing application code, and does not insert the database but also even control the entire database
need to modify the server and database platform. server.

978-1-4673-9026-2116/$31.00 ©2016 IEEE 1153

Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:13:29 UTC from IEEE Xplore. Restrictions apply.
 B. The Existing Defense Solutions of SQL Injection Attack B. Implementation ofSQL Injection Defense Prototype
Current defense SQL injection technology is mainly System Based on ISR
based on static program analysis and dynamic detection, The SQL injection defense prototype system based on
including: input filter [2], manual detection [3], [4], ISR randomizes SQL's standard keywords, which will
information flow analysis [5], [6], special API etc. introduce a new set of keywords to SQL, a solution is to
1) The method of input filter detect the SQL injection modify the DB's SQL interpreter, but it is very complex, we
attack based on the sensitive character of predefmed, this adopt the method of adding a DBMS proxy server between
method is easy to cause false positives and false negatives. Web server and database server, Web application transmits
And because the SQL injection technology has great SQL instruction to the proxy server, the proxy can fmd and
development, some new technology is proposed, such as prevent the SQL injection attack by analyzing the syntax,
coding the keyword , for example, single quotes can be namely when the statement contains the standard SQL
simple coded into %39 or char (39), therefore, based on the keywords, which shows that the system has suffered an
sensitive character filtering technology has a lot of problems. injection attack, if there is no SQL injection attack, the proxy
2) The method of manual detection require the server will de-randomization the SQL statement to restore
programmer strictly filting the parameters of the user's input . the standard SQL statement and forward it to the database, as
show in Fig. 1.
However complex applications need to deal with a large
Web Sen'cr
number of user input, manual detection not only greatly Database Server

increase the burden on the programmer, but also makes the

program become difficult to maintain. Randomized Standard
-
3) The dynamic information flow analysis technique SQL SQL
, -
Client
DB
mainly infers the aim of the original program query Middle-Ware Pro:..)'
statement according the syntax tree, the major problems Server
HTTP
Requests Result Result
faced to this method is accurately analyzing and inferring the Set Set -
difference purpose of original SQL statement and the SQL
injection statement .
4) Special API is used in some specific WEB programs
Figure I. Prototype system based on ISR
which will encapsulate some commonly used database
operation to special API function. This approach may not Now many websites build with PHP and MYSQL, this
exist the risk of SQL injection, but it is impossible for each paper mainly studies SQL injection defense method for this
WEB application to use special API, and the method need kind of website.
the programmers to learn the syntax of using these special 1) Randomization ofSQL keywords
API functions. The module of SQL keywords randomization reads PHP
programs of web application as text file, extracts the SQL
III. T HE DESIGN AND IMPLEMENTATION OF SQL
standard keyword, then randomizes them by appending a
INJECTION DEFENSE PROTOTYPE SYSTEM BASED ON ISR
random integer, the random integer is produced by MD5(T,K)
mod 1000, K is the shared key between the Web application
A. The Principle ofSQL Injection Defense Based on ISR and the proxy server, T is the system time in minutes, the
The method of SQL injection defense based on ISR length of random integer is 3 by mod operator.
randomize SQL's standard keywords (including SELECT, 2) Construction of the proxy server
FROM, WHERE, etc.) by appending a random integer, The proxy server detects the SQL injection attacks and
which actually creates a new set of SQL keywords, so all de-randomize the SQL statement, then forward the standard
SQL injection attacks are then prevented, because the user SQL statement to MYSQL, finally transmit the query result
input inserted into the "randomized" query is classified as a set from MYSQL to Web application. MySQL Proxy is a
set of non-operators, resulting in an invalid expression.The proxy product of MySQL, In this paper, we modify MySQL
following example demonstrates the randomization of SQL Proxy to meet our need.
language keyword. a) Introduction of MYSQL proxy
Original non-randomized statement is: MySQL Proxy is a program that is between the client and
SELECT * FROM user WHERE name = '$ name' AND the MySQL database, which can monitor, analyze, or change
pwd = '$�wd' the communication between them. It is flexible to use
without limitation, common uses include: load balancing,
This SQL statement contains four key words: SELECT, fault analysis, query analysis, query filtering, and
FROM, WHERE, AND, such as the key is 123, then the modification, etc.. MySQL proxy as such a middle agent
randomized SQL statement is: layer, simply say, is a connection pool, responsible for
forwarding the foreground application of connection requests
SELECTl23 *
to the backstage database, and by using the Lua script, can
FROMI23 user
realize the complex connection control and filtering, revised
WHERE I23 name = '$_name' AND123 pwd = '$�wd'
or rewritten query. For applications, MySQL Proxy is

1154
Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:13:29 UTC from IEEE Xplore. Restrictions apply.
 completely transparent, the application is only connected to commands, or modification the original SQL command
the listener port of Proxy MySQL. request and submit the modified data packet to the server, or
b) Introduction of Lua return error message to the client.
When the server execute the SQL command and get the
Lua is an embedded, lightweight, fast, powerful scripting
results, the results will forward to MySQL proxy, at the same
language. Now the Lua language are widely apply to various
time, read_queryJesuit 0 function is called, the results will
fields, especially the fields of requiring an extensibility,
be processed through the Lua script, then return to the client.
portability and efficient script language, the Lua language
When the client needs to close the connection, the
will be the best choice, such as game development,
disconnect_client 0 function will be called, in this function,
independent application scripts, system security, expansion
MySQL Proxy can choose to close the current connection of
application fields .
the server, and can also put the connection to connection
Lua language script is very easy to be called by C/C++
pool.
code, and can also call the function of C/C++, which makes
Lua widely used in applications. Lua language and C d) The implement of DBMS proxy
language are very easy to integrate with each other, which MySQL Proxy as an agent, working between the Web
has brought a lot of benefits. Because Lua is a lightweight client and the database server, and are transparent to both.
scripting language, it does not have the good aspects of the C When MySQL proxy works, first accept client requests as
language, for example, C language has superb performance, the identity of the server, analysis and processing these
has a strong ability of the operating with the bottom of requests according to the configuration of for, then
system and a strong third party software interface, and so on. forwarding the request to the corresponding backend
Lua language can use the powerful features of the C database server as the identity of the client, finally accept the
language to complete these tasks, and Lua language has the server information and return to the client, so MySQL proxy
characteristics which C language is not good at, such as need to simultaneously achieve client and server protocol.
dynamic structure, no redundancy, simple testing and Because need to analysis the SQL statement sending from
debugging. the client, it also need to include a SQL parser. It can be said
Lua language, in addition to an extensible language, is a that MySQL Proxy is equivalent to a lightweight MySQL.
"glue language". Lua is a language based on components. MySQL proxy sits between the Web server and database
This feature can create new applications through the server as shown in Fig. 2, it can monitor and analyze or
adhesive of high-level components. These components can change the communication between them, when the MySQL
be written in other languages, or they can be compiled. Lua proxy works, it first acts as a server, receives the instructions
language can play the role of glue in the organization and from web server (as a client), analyze and process them
connection of each component. Generally speaking, the according to the configuration, then act as a client , send the
component represents a more specific and more low-level instruct to the backend database, and fmally accept the
concept, and the programmer can hardly modifY them in the results from the database, transmit to the web server.
process of program development. And in the final program
these components will occupy a large amount of CPU time,
connect_serverO
but Lua language can bind these components together to I I connect
connect
build an application. The difference between Lua language
and other "glue language" is that Lua's function is quite
complete, so that it can be used not only to agglutinate
components, but also can be used to the adapt and transform
components, even can construct a new component.
c) Execution process of Lua script in MySQL proxy Query result Query result

MySQL Proxy defines 6 functions in the Lua language,

in the process of communicate between the client and the
MySQL server, these functions will be called. SQL Proxy

Every time when the client connects to the MySQL Figure 2. The main part of MYSQL Proxy
Proxy, the function connect_serverO will be called. The
function of connect_server 0 can decide whether to use a MySQL proxy's core functions are connect_serverO,
new connection, or the connection in the connection pool of read_queryO and read_queryJesultO, connect_serverO
MySQL Proxy . transmit the connection request, read_queryO transmit the
In the process of senting the initial handshake SQL statements, read_queryJesultO transmit the query
information to the server, the read_handshake 0 function results. So in order to realize the detection of SQL injection
will be called. When the client sends an authentication attack and derandomization of SQL statement, the SQL
package (including user name, password, etc.) to the backend statement should be intercepted before forwarding to
server, read_auth 0 will be called. MYSQL, which need rewrite the read_queryO. In MySQL
When the client sends SQL command requests to the proxy, we can modifY the startup configuration file mysql­
MySQL proxy, read_queryO function will be called, by proxy.cnf to rewrite read_queryO, we should add the
using this function can increase the request of SQL following configuration items:

1155
Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:13:29 UTC from IEEE Xplore. Restrictions apply.
 the SQL injection prevention method based on ISR, we use
proxy-address = 192.168.1.1:4040
SQL injection testing tool sqlmap to detect the SQL injection
proxy-Iua-script C:/MySQLlmysql-proxy-
attacks. Due to the presence of the defense system, sqlmap
0.8.5/share/doc/mysql-proxy/suiji.lua
can not detect the SQL injection vulnerability in the 3 web
proxy-skip-profiling = true
applications.
proxy-backend-addresses=192.168.1.1:3306
Table I lists the page response time of non-protect system
and protected system, we can see that the defense system
The configuration item "proxy-lua-script" describe the only increase by about Is of additional processing time,
script file the proxy server will execute, in the script file, we which is in the scope of user can accept.
can rewrite read_query 0 function, adding the function of
TABLE I. THE PAGE RESPONSE TIME OF NON-PROTECT SYSTEM AND
SQL injection attack detection and the randomization, the
PROTECTED SYSTEM
main process is as follows:
page response time page response time
Gets the parameter packet Object of test -
(no protect) (protect by ISR)
of the read_query, which is
DVWA Web 703ms 1610ms
the SQL statement to be
BBSXP7. 3 1000ms 2003ms
processed
PHP-Nuke CMS 903ms I 580ms

V. CONCLUDTON

�:z;:�,-----
--- ----,
standard SQL keyword
ontains in pack t
SQL injection attacks
.IS detected
In this paper, we propose a method of preventing SQL
injection attacks by ISR (Instruction Set Randomization),
and build a prototype system based on this strategy. The
prototype system randomizes the SQL keywords in the
N application, because the SQL statement injected by the
attacker are not randomized , so the SQL injection can be
Get the system time T, key K, calculate
the random key MDS(T, K)mod 1000,
easily detected. Experimental results show that this system
remove the random key in the packet, has a good effect on preventing SQL injection and low
restore to the standard SQL running cost.
The defense prototype system is implemented in the form
of intermediate agent. In the case of the random key does not
add the modified packet leak, it is very difficult for the attacker to make a successful
into the proxy server's
SQL injection, and because of the secret key can be defmed
query queue
by the user, the brute force is also very difficult for attacker.
In the initial application of some practical projects, the
Figure 3. The function of MYSQL Proxy
defense system has a good effect of defending SQL injection
The example code of SQL injection attack detection is attacks, and has a practical value.
below:
REFERENCES

pos = string.find(pocket,"or") [I] Boyd S W, Kc G S, Locasto ME, et al. On the general applicability of
if pos then b = pocket.sub(strl,a+2,a+4) instruction set randomization. IEEE Transactions on Dependable and
Secure Computing, 2008, 7(3):225-270.
if b �= key then
[2] Zhao Wenlong, Zhu Junhu, Wang Qingxian. Analysis and Prevention
proxy.response.type = of SQL Injection. Computer engineering and design, 2006, 27(2).
proxy.MYSQLD]ACKET_ERR V. Benjamin Liv shits, Monica S. L am. Finding security vulner
[3]
proxy.response.errmsg = "SQL injection" abilities in Java applications with static analysis. Proceedings of the
return proxy.PROXY_SEND_RESULT 14th conference on USENIX Security Symposium Volume 14, U.S. A:
U SENIX Associatio n, 2005.
end
end [4] Yichen Xie, Alex Aiken. Static detection of securit y vulnerabilities
in scripting languages. Proceedings of the 15th conference on
USENIX Security Symposium. U. S.A: USENIX Association, 2006,
IV. THE PERFORMANCE ANALYSIS OF PROTOTYPE IS.

SYSTEM [5] Sabelfeld A, Myers A C. Languag e-based infoumation flow security.

IEEE JSA, 2003
In the evaluation experiment of the prototype system, we
[6] Carl Gould, Zhendong Su, and P remkumar Devanbu. Static checking
download three kind of popular web applications which of dynamically generated queries in database applications. ACM
existing SQL injection vulnerability as the test object, these Transactions on Software Engineering and Methodology (TOSEM).
web applications are built with PHP and MySQL and applied U.S. A: ACM, 2007, 16.

1156
Authorized licensed use limited to: Don Bosco Institute of Technology-Bengaluru. Downloaded on March 17,2025 at 07:13:29 UTC from IEEE Xplore. Restrictions apply.