IBN AL- HAITHAM J. FOR PURE & APPL. S CI.         VOL.24 (2) 2011  

 

Proposed Methods To Prevent SQL Injection   

 

A. H. Mohmme d 
Departme nt of Computer Science, College of Education, Unive rsity of Al-
Mustansiriyah  
Received  in :  3, October , 2010 
Accepte d  in :  8, February, 2011 
 

Abstract 
     In the last decade, the web has rapidly  become an attractive p latform, and an indisp ensable 
p art of our lives. Unfort unately , as our dependency on the web increases so p rogrammers  
focus more on functionality  and appearance than security, has resulted in the interest  of 
att ackers in exp loiting serious security  p roblems that target web applications and web-based 
information sy stems e.g. through an SQL injection att ack.  
   SQL injection in simple terms, is the p rocess of p assing SQL code into interactive web  
applications that emp loy database services such app lications accep t user inp ut  such as form  
and then include this input in database request s, typ ically SQL st atements in a way  that was 
not intended or anticipated by  the application developer that att empts to subvert the 
relationship  between a webpage and  its supp orting database, in  order to t rick the database into  
executin g malicious code due to the poor design of the ap p lication.  
    The p rop osed syst em is based on p rotection website at run time, before inclusion of  user  
input with database by  validating, encoding,  filterin g the content, escap ing sin gle quotes,  
limiting the input character length, and filtering the excep tion messages. The p rop osed 
solution is effectiveness and scalability  in addition it is easily adopted by  application 
p rogrammers. For emp irical analy sis, we p rovide a case study  of our solution and imp lement 
in Html, PHP, My Sql , Ap ache Server and Jmeter app lication. 
 

Key words:web site security , Data Base Server, SQL Injestion attack 

Introduction 
      The Internet has brought about many  chan ges in the way  or ganizations and individuals  
conduct business, and it would be difficult t o op erate effectively without the added efficiency 
and communications brou ght about by  the internet [1].  In the last few y ears, the pop ularity  of 
web-based applications has grown tremendously. A number of factors have led an increasin g 
number of organizations and individuals to rely  on web-based applications to p rovide access  
to a variety  of services. Today, web-based applications are routinely used in security critical 
environments, such as medical, financial, and military  sy stems [2]. Because of the pop ularity 
of these types of applications many  techniques to exp loit their security  vulnerabilities are 
p otentially quite dangerous. One such  technique is  called  SQL  injection [3].  SQL  Injection 
att ack has been one of the major threats to the security of web app lications and att ackers can 
trick server into executing malicious SQL code which is [4]. occurs when user input is p arsed 
as SQL tokens, thus changing the semantics of the underly ing query [3]. SQL injection 
att acks have been used to extract customer and order information fro m e- commerce databases  
or byp ass security  mechanisms. The intuition b ehind such  att acks is that p redefined logical 
exp ressions within a p redefined query can be altered simply by  injecting op erations that 
alway s result in true or false st atements [5]. 
     



 
 

IBN AL- HAITHAM J. FOR PURE & APPL. S CI.         VOL.24 (2) 2011  
 

   This p aper, p resents a runtime technique to p revent SQL injection observe that all SQL  
injections alter the st ructure of the query intended by  the p rogrammer and by  cap turing this 
st ructure at runtime, we can  compare it to the p arsed st ructure after inserting user-sup p lied 
input, and evaluate similar ity . Evaluated the prop osed sy stem based on user inp ut on a set of 
real-world app lications without requiring a call to the database, thus lowerin g runtime costs 
and satisfy  the following three criteria: 

1. p revent the possibility  of the attack 
2. M inimize  the effort required by  the programmer  
3. M inimize the runtime overhead.  

  This p aper is st ructured as follows: The next section reviews related work and section 3  
describe web server technolo gy  and section 4 SQL  injection workin g while section 5 describ e 
p rop osed app roach that characterizes the sanitization p rocess by  modeling the way  in which 
an app lication p rocesses input values and p rovides details  about the imp lementation of  
system, section 6 p resents t he exp erimental results that show app roach is feasible in p ractice, 
section 7 concludes t he paper. 

-We b Serve r Technology 
   Web based sy stems are a comp osition of infrastructure comp onents, web servers , 
databases, and of application sp ecific code, such as HTM L-embedded scripts and server-side 
CGI p rograms[2]. Nowaday s, lots of websites are interactive, dy namic and database-driv en, 
which run various web  app lications in servers with data stored in back- end database.  Web  2.0  
technologies allow users to do more than just retrieve information. They  can access and 
modify   the  content  and  d istribute  their  information  in  websites  such   as  social  
networking  sites,  wikis  and  blogs.    In  other  words,  they  can  control  the  d atabase 
information  via  a  web  browser [6]. 
    Web app lications accep t user inp ut via forms in web p ages. This input is p osted to the 
server as name value p airs, both of which are st rings. An alternate mechanism to p ass 
information to the server is the query  st ring. The query  string is information appended to the 
end of the URL.  On most  web servers, a question mark sep arates the resource from the qu ery 
st ring variables. Each name value p air in the query string is sep arated by  an amp ersand, and 
the user is free to edit this input as easily as form inp uts. Because it is common for web  
servers can differentiate between variables p assed in the query st ring and those p ost ed in the 
form, then will consider both as user input [3].Web-based applications represent a serious 
security  exp osure. These app lications are directly accessible through r ewalls by  design, in 
addition[7]. The infrast ructure comp onents are usually  developed by  exp erienced 
p rogrammers with solid secur ity  skills, t he ap p lication sp ecific code is oft en developed under 
st rict time const raints by  p rogrammers  with little security  training as  a result vulnerab le web-
based app lications are deployed and mad e available to the whole internet, creating easi ly 
exp loitable entry  p oints for t he compromise of entire networks [2]. 
    The Internet has brought about p roblems as the result of intruder attacks, both manual and 
automated, which can cost many  organizations excessive amounts of money  in damages and 
lost efficiency  [1]. Web-based att acks aimed at either obtaining control of the host running the 
web server application (e.g., through a buffer overflow ) The first type of attack is caused by 
vulnerabilities in the web server  soft ware or in a server-sid e web-based  app lication that allow  
one to comp romise the security of the underly ing host ,The second type of attack is [7] offer  
the vulnerabilities  of  unauthorized  database  control  and malicious  code  injection which 
att ackers  can  take  advantage  of   att ackers  are  try ing  to  get  valuable  information held in 
database, this hack is a kind of ap p lication attack called SQL injection[6]. 

-SQL Injection Work ing 
     It is very hard to understand the conceptual idea of  SQL injection without p artially  
understanding the code that runs in the background [8]. A database comp uter  language 
design ed for  the retrieval  and  management  of  data  in  relational  database  management   
systems (RDBM S) [6].  



 
 

IBN AL- HAITHAM J. FOR PURE & APPL. S CI.         VOL.24 (2) 2011  
 

     Structured Query  Lan guage (SQL)  is used  for many database sy st ems including M icrosoft  
SQL Server, Oracle, My SQL and even M icrosoft Access[8]. SQL injection is y et common 
vulnerability  that is the result of lax input validation. Unlike cross-site scripting 
vulnerabilities that are ultimately  directed at site’s visitors, SQL injection is an att ack on the 
site itself in p articular its database [9].  
   In 2008, there was a significant incr ease in the number of websites affected by  SQL  
injection att acks.T his increase can be attributed in part t o the develop ment of automated tools 
that allowed att ackers to test and comp romise sites much faster than older manual 
methods.T here are sp ecific examples of SQL  injection events that occurred in april 2008   
att acks against  microsoft internet information services (II S) that affected more than half a 
million websites and in decemb er 2008 microsoft internet e xp lorer 7 (IE7) that was leveraged  
via SQL injection att acks [10].  
    SQL injection att acks are a prime examp le of malicious input that changes the behavior of  
a p rogram by  introduction of query structure into t he input strings. An application that does 
not p erform input validation (or emp loys error-p rone validation) is vulnerable to SQL  
injection att acks. Although useful as a first  lay er of defense, input validation often is hard to 
get right, The absence of p rop er input validation has been cited as the number on e cause  of  
vulnerabilities in web app lications [11]. A  successful  SQL  injection  exp loit  can  read   
confidential  data  from the database ,modify  database data (INSERT/UPDATE/DELETE), 
execute  administration op erations  on  the  database  such  as  shut down  of  database  
management  sy stem (DBM S) , recover the content of a given file p resent on the DBM S file 
system and in some  cases  issue  commands  t o  the  operating  sy st em,  It  may   also  lead  to   
many  p otential att acks in other forms[6]. 

-Proposed System 
      A web application is vulnerable to an SQL injection att ack if an att acker is able to insert 

SQL st atements into an existing SQL  query of the app lication. This is usually  achieved  by  
injecting malicious  input into user fields that are used  to comp ose the query, login p age 
p romp ts the user to enter her username and p assword into a form  typ ically used for checking 
the user login cred entials therefore, are p rime targets for an att acker. In this example, if the 
login app lication does not  p erform correct input validation of the for m fields, t he att acker can  
inject st rings into t he query  that alter its semantics. For examp le, consider an hack er entering 
“OR 1=1”-- one of sql injection st ring as in the tabel(1), the “--” command indicates a 
comment in Transact-SQL. Hence, everything after the first  “--” is ignored by  the SQL 
database engine with the help  of the first quote in the inp ut string, the user name st ring is 
closed, while the “OR 1=1” adds a clause to the query  which evaluates to true for every  row 
in the table. Wh en executin g this query, the database returns all user rows, which  app lications 
often interpret as a valid login. So in the p rop osed system all client-supp lied data needs to b e 
cleansed of any characters or st rings that could p ossibly  be used maliciously  as shown in the 
figur e(1). 
  In this section list p rop osed methods can be app lied to minimize the risk of a SQL injection 
att ack . 

1. Validation Input  
     The first  st ep  in any  form processing script should check the sy ntax of input for validity  to 
verify  that t he inp ut is a valid  input in the lan guage. The validation could b e any thing such  as  
checkin g whether the entered valu e for “p assword" is a number, and  is 16  or ov er, or mak ing 
sure the username column has only valid characters such as A to Z, a  to z and many classes 
of input have fixed lan guages such Email addresses, dates etc . 

2. Enco ding Input  
    Sometimes input might contain some illegal characters, or it might not alway s be viable to 
validate all user input for examp le, in a search field the user could ty p e anything that t hey are 
searching for, including scr ipt tags such as <script> ,encoding is the best  way  to neutralize  



 
 

IBN AL- HAITHAM J. FOR PURE & APPL. S CI.         VOL.24 (2) 2011  
 

     harmful d ata from user input, since encoding translates the harmfu l characters into their  
disp lay  equivalents for examp le the < character will b e translated into &lt; character. The 
Ht mlEncode method of t he server object can be used to encode the har mful characters. 
3. Fil tering Input  
   If an app lication does not filter user input before it is used in a SQL qu ery, then SQL  
injection vu lnerability  occurs because serv er received incorrect input from an untrust ed 
client.So  p rop osed syst em p revent SQL injection att acks by  filtering user input using 
lan guage-sup p lied input filtering functions before usin g untrust ed input in a SQL query. For 
example, let's supp ose to filter out special ch aracters such as the following: [   ]    {   }   ;    &. 
to achieve this functionality  use the Rep lace method of t he String ob ject t his code will rep lace 
all the unwanted characters from the users inp ut. 

4. Limit the  Length of User Input  
   M ake use of the maxlength att ribute of the textbox controls will be r estricting the number of  
characters the hack er can ty p e. In p rop osed sy stem all text boxes and form f ields should b e 
alway s as short as p ossible for example, if the firstname textbox should only accep t 40 
characters, then enforce the length in the maxLen gth att ribute. This will restrict the hacker to 
send small set of commands back to t he server  
<input type="text" id="txtFirstname" M axLen gth="40" runat="server "/> 

5. Modify Error Reports  
     In situations where the att acker has no knowledge of the underly ing SQL query or the 
contributing tables,  hacker try  to tamp er with the SQL st atement in order to receive an error 
message and can gain more information about the SQL st atement, and can st art tamp ering 
with the SQL st atement. The prop osed sy stem p rocess error rep orts p rop erly  and configur e in 
such a way  that error cannot be shown to outside users and disp lay  of errors should be 
restricted to internal users only such as 

1. disp lay _errors = Off 
2. disp lay _st artup _errors = Off 
3. log_ errors = On 
4. log_ errors_max_len = 0 
5. ignor e_rep eated_errors = Off 
6. ignor e_rep eated_source = Off 
7. track_errors = Off 
8. error_lo g = /var/log/php .log --OR—syslog 

6. Lo w privilege 
   Limit database p ermissions and se gregate users and never allows to connect as a d atabase 
administ rator in web app lication will limit the damage potential. 
    The p rop osed syst em has three p ages , the code of  first p age shown in figur e(2) is an 
HTM L page with a form element. The form asks the visitor to enter his My SQL user name 
and p assword.The name of this p age is login.html as shown in figure(3) , when user full the 
data and click login button the data will send by  p ost method to the second page that called  
validentry .p hp   which works in hide,code of this p age shown in figure(4). 

 
-Evalution  
      Web-based app lications have become a p op ular means of exp osing functionality  to large 
numbers of users by  leveraging the services p rovided by  web servers and databases. T he wide 
p roliferation of custom developed web-based applications suggests that a app roach for 
p roviding ear ly warning and real-time b locking of sql injection exp loits. T he prop osed sy stem 
comp osed of a number of methods used to p revent sql injection att ack. The prop osed sy stem 
evaluated its ap p licability  with resp ect to several existing web-b ased ap p lications accordin g to  
four key metrics: 
 



 
 

IBN AL- HAITHAM J. FOR PURE & APPL. S CI.         VOL.24 (2) 2011  
 

1- Safety  - How well a technique resists being circu mvented or def eated when faced with  
a competent attacker 

2- Sp eed - How high the performance overhead of a technique is 
3- Flexibility  - How app licable a technique is to a range of d ifferent security  flaws and 

vulnerabilities  
4- Practicality  - How easy  it is to app ly a technique to modern soft ware settings, where 

source code access may  not be available and legacy  code may  be present. 
    The prop osed sy stem tested  at run time by  Ap ache's JM eter testing,this application allows 
one to schedule walks through a web ap p lication, includ ing detailed web form submission and 
thus database querying. JM eter can execute script with a configurable number of concurrent  
users. It also allows the tester to configure the delay  between request s for the simulated 
users.T abel(2) shows the resp onse times to execute two type of query as in table(3) with 
number of users.  
 

Conculsion 
     A criminal can break into a sy stem and wreak havoc on a network or comp uter sy stem 
different way s. It is up  to the web application developers to do their p art in making sure the 
applications they  design are not vulnerable to any  known t hreats, In general p rop osed sy stem 
is not limited to any sp ecic p latform since it does not rely  on any p articular lan guage 
mechan ism or technology . This strategy  can be instantiated for any  existing web app lication 
framework.  
 

Re ferences 
1. goheer,J. (2009), SQL Injection and Cros Site Scripting , Kualitatem Pvt Ltd. 
2. Cova, M .; Felmetsger,V. and Giovanni Vign a,(2007), Vu lnerability  Analysis of Web-

based  App lications, University  of California.  
3. Buehrer, G.; Weide,W.; Pao lo,A. and Sivilotti, G. (2010), Using Parse Tree Validation to  

Prevent SQL Injection At tacks” ,Computer Science and Engineering of Ohio State  
University  . 

4. Xiang, F.; Qian,K. (2008), SAFELI – SQL Injection Scanner Using Sy mbolic 
Execution,School of Computing and Software Engineer ing Southern Poly technic State  
University  . 

5. Stephen,W. and Keromytis, D. (2010), SQLrand: Preventing SQL In jection At tacks, 
Dep artment of Comp uter Science Columbia University . 

6. Ronald,L. (2008), SQL Injection, Hong Kong Computer Emergency Resp onse Team 
Coordination Centre.  

7. Kruegel ,K. ; Valeur ,F. and  Barbara,S. (2007), An Anomaly -driven Reverse Proxy for 
Web App lications, University  of California. 

8. M rowt on,K. ( 2005) , Int roduction to SQL Injection, Lee Lawson . 
9. lia,I. (2005), SQL Injection, Ilia_ Security .indb 
10. Finch,N. (2009), SQL Injection  , US-CERT gov ernment or ganization  
11. Bisht, P.; Prasad,A. and Venkatakrishnan, V.  (2010), Aut omatically  Prep aring Safe SQ L 

Queries, Department of Comp uter Science University  of Illinois, Chicago, USA.  
 
 

 

 

 



 
 

IBN AL- HAITHAM J. FOR PURE & APPL. S CI.         VOL.24 (2) 2011  

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Tabel (1): Example of sql Injection 

admin' --  ') or ('1'='1— 
admin' # ') or ('1'='1 
admin'/*  "or "1"="1 
' or 1=1-- ' or '1'='1 
' or 1=1# Or 1=1-- 
' or 1=1/* " or 1=1-- 
') or '1'='1-- ' or 1=1-- 

Table (2): Compare between  Normal SQ L Query & SQ L 

Inje ction 

Number of 

Use r 

Query TYPE Response  

Time (ms) 

1 Normal SQL Query 70 

1 SQL Injection 75 

5 Normal SQL Query 387 

5 SQL Injection 399 

10 Normal SQL Query 792 

10 SQL Injection 810 

Table (3) : Example of normal sql query and sql i njection attack 

Normal SQL Query 

 Select * from mytable where user name = `ahmed` and password =`12345`; 

SQL Injection 

Select * from mytable where user name = ``OR 1=1; --` and password=`dummy `; 



 
 

IBN AL- HAITHAM J. FOR PURE & APPL. S CI.         VOL.24 (2) 2011  
 

  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

  
  
  
  
  
  
  
  
  
  
  
  
  
  
  

 
Fig. (1): Prop osed Sy st em 

Open  DataBase 
 

N O 

Is name 
or pass 

null 
 

YE

fals

true 

IS  
PASS 

ST R+NO 

numbe

IS NAME 

ST RING 

IS 

NAME & 

PASS 

YE

N O 

Validate
Name  & 

Pass 
 

true 

YOU HAVE PERMIS S ION ACCESS 

N O 

Use r_name: 

Use r_password 



 
 

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



 
 

IBN AL- HAITHAM J. FOR PURE & APPL. S CI.         VOL.24 (2) 2011  
  
  
 

<html> 

<head> 

<title>user Login </title> 

</head>  

<body > 

<form method="POST" action="validentry .p hp " name="Login">  

<p  >enter user name and password to enter the p age</p> 

<p  >user name :<input type="text" name=" user _name"  size="20"></p > 

<p >p assword:<inp ut type="p assword" name=" user _password"  size="20"></p > 

<p ><input type="submit" value="send" name="Login"></p> 

</form> 

</body> 

</html> 

 

 

  

 

        <? p hp 

If ($user_name=="") or ($user_password=="") header("location: login.html"); 

If not(is_string($ user_name )) head er("location: Login.html"); 

if (!ctyp e_alnum($_POST[‘ user_p assword ’])) header("location:  Login.html "); 

Inp ut_filtering($ user_name )  

Inp ut_filtering($ user_p assword ) 

$esc_name = mysql_real_escap e_string($ user_name ); 

$esc_password = mysql_real_escape_string($ user_p assword ); 

mysql_connect("localhost", "", "") or die("Could not connect: " . my sql_error()); 

  mysql_select_db("p roject"); 

Fig.(2): Code of login 
page 

Fig.(3): login page 



 
 

IBN AL- HAITHAM J. FOR PURE & APPL. S CI.         VOL.24 (2) 2011  

 

 

$result = mysql_query ("SELECT * FROM  admin where name='$esc_name' && password='$esc_password 

‘"); 

$row = mysql_fetch_array($result, M YSQL_BOT H); 

if (($row["username"]==Null)or($row["userpassword"]==Null)) 

header("lo cation: login.html"); 

function validate_string( input ) 

known_bad = array( "select", "insert", "up date", "delete", "drop ", "union, ";",”"--","xp _",”*”,"'" ) 

for i = lbound( known_bad ) to ubound( known_bad ) 

if ( inst r( 1, input, known_bad(i), vbtextcomp are ) <> 0 )  header("location: admin.php "); 

next  

end function 

?> 

 

 

 

 

 

 
 

  

 

 

Fig.(4): Code of validentry.php 
page 



 
 

 

 

  

  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  

 

 

 

 



 
 

 2011 )2( 24مجلة ابن الهیثم للعلوم الصرفة والتطبیقیة               المجلد

  )SQLِ(حمایة تطبیقات الویِب من هجوِم حقن 

 أحمد هاشم محمد  

 علوم الحاسبات ،كلیة التربیة،الجامعة المستنصریة 

2010تشرین االول ، ،3: استلم البحث   

2011،شباط، 8:   قبل البحث  

 

 الخالصة

ولكن لسوء الحظ،االعتمادیة على الشبكة زادت من . في العقد األخیر،َأْصَبَح الویب جزءًا ال غنى عنَه في حیاِتنا       

عدد المبرمجین الذین ُیرّكزوَن على تصامیم المواقع أكثَر من التركیز على الوظیفِة والحمایة مما أّدى إلى زیادة عدد 

التي َتستهدُف تطبیقاَت الویِب وأنظمِة المعلوماِت على اإلنترنِت ومثال على ذلِك  المهاجمین في ِإْسِتْغالل مشاكِل الحمایة

   (SQL injection). هجوم هو ال

إلى تطبیقاِت الویِب التفاعلیِة التي ) SQL(هو عملیُة تمریر رمِز لغة اإلستفسار البنائیِة ) SQL injection( هجوم     

المخترق َتخریب العالقِة بین الموقع وقاعدة بیاناته المساندة، لكي َیْخدَع قاعدَة البیانات  َتستعمل قاعدَة البیانات، اذ ُیحاولُ 

 .إلى َتنفیذ الرمِز الخبیِث بسبب التصمیِم السّیِئ للتطبیقِ 

تعماِل طرائق إّن النظاَم الُمقَتَرَح مستند الى الَتدقیق في وقِت التشغیل، قبل إدراِج  الزبون المتصل بقاعدِة البیانات باس  

ِت  عدیدة لَجْعل التضمین صالح لإلستعماِل وذلك من خالل المصادقة، الَتْشفیر، َترشیح المحتوى عن طریق الغاء اإلقتباسا

ى . الوحیدِة، تحّدیُد طول الحرَف المتضمنة، وتصفیة رسائل الخطاء  إّن الَحلَّ الُمقَتَرَح فعال وقابل للتوسع فضال عن انه ُیتبّن

في   Apache، و الخادم   MySqlقاعدة بیانات ,HTML PHP ن ِقبل مبرمجي التطبیِق اذ استعملت لغة بسهولة مِ 

  .تصمیم الموقع واختبار الحل المقترح

 SQLامنیة المواقع ، قواعد البیانات الخادم ، هجوم حقن :  الكلمات المفتاحیة