SQLrand: Preventing SQL Injection Attacks

Boyd, Stephen W.; Keromytis, Angelos D.

We present a practical protection mechanism against SQL injection attacks. Such attacks target databases that are accessible through a web front-end, and take advantage of flaws in the input validation logic of Web components such as CGI scripts. We apply the concept of instruction-set randomization to SQL, creating instances of the language that are unpredictable to the attacker. Queries injected by the attacker will be caught and terminated by the database parser. We show how to use this technique with the MySQL database using an intermediary proxy that translates the random SQL to its standard language. Our mechanism imposes negligible performance overhead to query processing and can be easily retrofitted to existing systems.



Also Published In

Applied cryptography and network security: second international conference, ACNS 2004, Yellow Mountain, China, June 8-11, 2004: proceedings

More About This Work

Academic Units
Computer Science
Lecture Notes in Computer Science, 3089
Published Here
July 5, 2012