Preventing SQL injection attacks by automatic parameterizing of raw queries using lexical and semantic analysis methods

Document Type : Article


Department of Computer Engineering, Sharif University of Technology, Azadi Ave., Tehran, Iran


SQL injection (SQLI) is one of the most important security threats against web applications. Many tech-
niques have been proposed for counteracting SQLI attacks; however, second-order attacks and the injection
attacks that are raising data-type mismatch errors have been ignored in most of them. In this paper, we
propose a new anomaly-based method (deploying as a proxy between the application server and its database
server) for detection and/or prevention of SQLI attacks without requiring any modi cation to the source
code of vulnerable applications. The majority of attacks, which lead to a change in the syntax of applica-
tion queries, are identi ed in the detection phase by lexical analysis of the queries. The remained types of
attacks, such as second-order attacks and attacks generating data type mismatch errors, are prevented to
be executed in the prevention phase, where each query is automatically converted to a parameterized query
(before submitting to its database) using a semantic analysis method.


Main Subjects