Abstract: Presently web users heavily depend on database- driven web applications for an increasing amount of activities, such as banking, reservation and shopping. When performing such activities, we entrust our personal information to these web applications and their underlying databases. Web applications are often vulnerable to attacks, which can give an attacker complete access to the applications’ underlying database. In an SQL Injection Attack, an attacker attempts to exploit vulnerabilities in custom web applications by entering SQL code in an entry field such as a login. If successful, such an attack can give the attacker access to the data on the database used by the application and the ability to run malicious code on the Web site. Attacks occur when developers combine hard-coded strings with user-provided input to create dynamic queries. Intuitively, if user input is not properly validated, attackers may be able to change the developer’s intended SQL command by inserting new SQL keywords or operators through specially crafted input strings. As the SQL Injection Attack passes through all the stages as like a normal request from genuine user the core components of the server may not be able to detect the attack on the Database. Several methods have been proposed to detect and prevent SQL injection attacks. We devise a method that uses defensive coding and secure hash algorithm to prevent SQL injection attacks. This method is illustrated by overview, diagrams and step by step procedure for implementing the technique to protect web application against SQL Injection. We show that this technique can be used effectively to prevent SQL Injection Attacks through bypass authentication in web application without degrading the system’s performance. Finally the method is implemented by using a web application and MySQL database.
Keywords: SQL, Hash, Web application, Database, vulnerable.