Published on

IJERA (International journal of Engineering Research and Applications) is International online, ... peer reviewed journal. For more detail or submit your article, please visit www.ijera.com

Published in: Technology
  • Be the first to comment

  • Be the first to like this


  1. 1. Urvashi Sanadhya / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-august 2012, pp.2392-2398 Avoid SQL Injection Attacks Urvashi Sanadhya Department of Computer Science, Mewar University, Chittorgarh Tel: 07589397539Abstract An SQL injection attack targets web and feasible solution for this problem in theapplications that are database-driven. The computer security community.methods using for SQL injections are easy tolearn and can cause major or significant damage 2. Survey of SQL injectionto the system. To address this problem, we SQL injection is a vulnerability that allowspresent the different types of SQL injection an attacker to alter backend SQL statements byattacks known to date and will look at a selection manipulating the user input. An SQL injection occursof the methods available to a SQL injection when web application accepts user input that isattacker and how they are best defend against directly placed into SQL statements and does notthem. For each type of attack, we provide property filter out dangerous characters.descriptions and examples of how attacks of that (more) Advanced SQL Injection by Christype could be performed. We also present and Anley [chris@ngssoftware.com] in 18/06/2002analyze existing detection and prevention suggested that the best defence against SQL injectiontechniques against SQL injection attacks. is to apply comprehensive input validation, use a parameterised API, and never to compose queryKeywords-SQL injection, SQL injection attacks, strings on an ad-hoc basis. In addition, a strong SQLAuthentication attacks Server lockdown is essential, incorporating strong passwords.1. Introduction SQL Injection Signature Evasion SQL Injection Attacks are one of the Whitepaper (Imperva) concludes that reliance upontopmost threats for web application security,and signature protections alone is not a practical defenceSQL injections are one of the most serious against SQL injections attacks. A reasonably sizedvulnerability types. The SQL Injection attacks are signature database does not provide reliableeasy to learn and exploitable, so this method of protection while a comprehensive signature databaseattack is easily used by attackers and hackers. Also results in excessive management overhead, dramaticmany major and traditional security systems having performance limitations, and false positives.different security layers like firewall, encryption, Lateral SQL Injection Revisited by Davidintrusion detection systems, Antivirus and anti Litchfield suggest that an attacker needs themalware are not able to detect this type of attack. CREATE PUBLIC SYNONYM system privilege asAlso database mechanism for authentication and a prerequisite to effect this attack, which helps toauthorization can be bypassed by tricky methods mitigate the risk. One should not place faith solely inand using set of rules of that type of database. this prerequisite to afford protection, as methods may be found that bypass the need for this privilege in the SQL Injection is something related to web- future. Instead, it is best practice to use variablehacking, but using some SQL knowledge and legal binding in order to completely mitigate the risk thisSQL commands to make it vulnerable. Its take the technique poses.advantage of the fact over which a poorly secured Lateral SQL Injection A new Class ofweb-application is developed. Also its takes the Vulnerability in Oracle conclude that those functionsadvantage of how data engines process the and procedures that don‘t take user input can bequery/insecure code in database. Many SQL takes exploited if SYSDATE is used. The lesson here isthe advantage of errors/error message generated by always, always validate and don‘t let this type ofsystemon some query responses. SQL Injection vulnerability get into your code. The second lesson isattacks that no longer should DATE or NUMBER data typesemployed by malicious users for different reasons, e. be considered as safe and not useful as injectiong. financial fraud, theft confidential data, deface vectors.website, sabotage, espionage, cyber terrorism, or Analysis of SQL injection prevention usingsimply for fun. Furthermore, SQL Injection attack a filtering proxy server by David Rowe concludetechniques have become more common, more thatambitious, easy to learn/implement, and increasingly  Independent of flaws in application coding andsophisticated, so there is a need to find an effective database privileges 2392 | P a g e
  2. 2. Urvashi Sanadhya / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-august 2012, pp.2392-2398 Can operate on a separate server with real time vulnerable SQL statement. This type of attack is analysis only possible when multiple SQL statements per Another layer of protection database request are supported. 3. Function Call Injection: Function call injection is Secure Query Processing By Blocking SQL process of inserting various database functioninjection by Dibyendu Aich descreibed that SQL calls into a vulnerable SQL statement. Theseinjection is a common technique hackers employ to function calls could be making operating systemattack these web-based applications. These attacks calls or manipulate data in the database.reshape the SQL queries, thus altering the behavior 4. Buffer Overflows: Buffer overflow is caused byof the program for the benefit of the hacker. Show a using function call injection. For most of thetechnique for detecting and preventing SQL Injection commercial and open source databases, patchesAttacks incidents. The technique abstracts the are available. This type of attack is possible whenintended SQL query behaviour in an application in the server is un-patched.the form of an ordered sequence of tokens, as a one- Mostly web-application developing technologiestime offline procedure using static analysis of the are susceptible to this attack:application code. This database is then validated They are JSP, XML, XSL, ASP, JavaScript etc.against the entire different incoming SQL query at which can access database.runtime to capture all malicious SQL queries, beforethey are sent to the database server for execution. To Detection of SQL Injection vulnerabilityminimize searching time and response time it uses Detection of SQL injection vulnerability inthe modern processor architecture by perform the a system is very tough task, as SQL Injection issearching in a multi threaded way as well as it nothing but simple logical game of valid SQLs. Sopredict the possible correct list for an incoming query this can be doing by enter each and every possibleby introducing hit count calculation. way the attacker can input the query. To detect SQL Injection we must have to Using a Web Server Test Bed to Analyze know about how SQL Injection is possible in anthe Limitations of Web Application Vulnerability application and what different types of SQL InjectionScanners by David A. Shelly suggested a method to attacks are.analyze the flaws and limitations of several of the Mainly it can categorize in two stages:most popular commercial and free/open-source web There are two main types of attacks. First-orderapplication scanners by using a secure and insecure attacks are when the attacker receives the desiredversion of a custom-built web application. Using this result immediately, either by direct response from thedescribed method, key improvements that should be application they are interacting with or some othermade to web application scanner techniques to response mechanism, such as email. Second-orderreduce the number of false-positive and false- attacks are when the attacker injects some data thatnegative results are proposed. will reside in the database, but the payload will not be immediately activated. Techniques and Tools for Engineering Furthermore the classification is also based onSecure Web Applications By Gary Michael this commonly two types of attacks:dissertation describes the first formal, realisticcharacterization of SQL injection and the analyses 1. Login authentication attack:can detect and block real attacks and uncover Many web-sites or web-application which deals withunknown vulnerabilities in real world code. transaction/view of user related data must have login panel or login page. They must have mainly two field3. Related Work and Observations of SQL :UserName or UserID and :password and anInjection Attack login/sign in button to login into database. There is There are four main categories of SQL also an ‗forget password link‘ which sends passwordInjection attacks against databases: to the user who make a request by clicking and input1. SQL Manipulation: manipulation is process of desired fields. modifying the SQL statements by using various For our example of SQL injection, we will use a operations such as UNION. Another way for hypothetical form which many people have probably implementing SQL Injection using SQL dealt with before: the ―email me my password‖ form, Manipulation method is by changing the where which many websites have in case one of their users clause of the SQL statement to get different forgets their password. results.2. Code Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the 2393 | P a g e
  3. 3. Urvashi Sanadhya / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-august 2012, pp.2392-2398 Let he guess a field name as ‗email‘ and try in the query and find out if the SQL is valid or not. SELECT <column> FROM <table> WHERE field =‘x‘ and email is null; -- He dont care about matching the email address (which is why use a dummy x), and the -- marks the start of an SQL comment. This is an effective way to "consume" the final quote provided Figure 1- Login by application and not worry about matching them.authentication attack It gives response. If it is a server error, that‘s meansThe way a typical ―email me my password‖ SQl is invalid and syntax error can be thrown. Soform/link works is this: it takes the email address as there must be wrong field name guess, try it for otheran input from the user, and then the application does as ‗email_address‘, ‗emailID‘ etc.a search in the database for that email address. If the If the response is valid, it makes surety thatapplication does not find anything in the database for the guessing field is a valid one.that particular email address, then it simply does not Here ‗AND‘ is use in query to ensure thatsend out an email with a new password to anyone. on valid response there should not be generatedHowever, if the application does successfully find response like ‗here is your password‘ and emailsthat email address in its database, then it will send from the application to the random user. So to avoidout an email to that email address with a new this suspicious activity ‗and‘ is used in query whichpassword, or whatever information is required to will always sure that mail is never generated to anyreset the password. user while getting a valid response.(Here below the dark background and with red font is Similarly other fields/columns are also detectedalways user input.) through hit and trial method. Say email, password, e_id, name.i) First test we do here is to check what error it giveon inserting a single quote. iv) Finding the table name:The query become SELECT <column> FROM Table name can be retrieve through several<table> WHERE <emailfield>=‘ <desiredEmail >‘. approaches. To accomplish this a ‗hit and trial‘ method is use with using SQL functionality ofii) Here an attacker does not know the mail-ID so he accessing the fields.made his mind to manipulate the query which can For example, here ‗email‘ is known field andgive some result. He use tautology query, in which guessed table is ‗emp_master‘. So the executablethe where condition is always true. i.e. query be like :SELECT <column> FROM <table> WHERE SELECT <column> FROM <table> WHERE field<emailfield>=‘abc‘ and ‗1‘=‘1‘; =‘x‘andemp_master.email is null; --But unlike the actual query which should return only If the response of this query is valid or returned asa single value, this query will return every values of ‗Unknown email‘ then SQL was well formed andthe column since query‘s where condition is always table name is properly guessed.true. But the actual record taken for operationalpurpose is the first record returned by the query, or a v) Finding some usersvalue taken at random. Till now table name, column name is guessed. For getting clues about some user, the firstAlways there are mostly three responses for various place to start, of course, is the companys website toinput : find who is who: the "About us" or "Contact" pages ‗Your password has been send to often list whos running the place. Many of these<desiredEmail>‘. contain email addresses. So the ‗LIKE‘ keyword of ‗The entered Email is incorrect‘. SQL helps most to get username. The targeted SQL Some server error. is build some as : SELECT <column> FROM <table> WHERE field The first and second responses are sure =‘x‘ORname like ‗%ram%‘; --about that there is a valid SQL run. Or there is no So gradually by refining name a good guess of usererror in the query passed, while the third one is a bad name can be achieve.SQL since it will return a server/SQL error. 2. URL query based attack:iii) Guessing column name: a) Finding vulnerable/target web-site: Here in the mind of attacker is sure that The vulnerable website have URL endingthere must be email-ID and password in query along with queried field like ‗id=‘ or ‗fieldno=‘ etc. Wewith other user login information. take an example: www.garo.cc 2394 | P a g e
  4. 4. Urvashi Sanadhya / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-august 2012, pp.2392-2398b) Checking the Vulnerability: column field. In order to check the vulnerability, add the For eg.single quotes() at the end of the url and hit enter. (No http://www.garo.cc/text.php?pageid=1 union selectspace between the number and single quotes). 1,2,3,4,5 --For eg. http://www.garo.cc/text.php?pageid=16‘ here from previous method we have found that thereIf the page remains in same page or showing that are 5 numbers of columns used, so we take columnpage not found or showing some other webpage, then sequence upto 5 with the union in the URL.it is not vulnerable. The ‗--‘ sign denote the comment part from whichBUT if it showing any errors which is related to SQL the database engine can not read further coded query.query, then it is vulnerable. On carefully observing the front face of the web- page, we can find one or more numbers as a column sequence which are given and executed by us through union query. Say for example we get number 3 on the web-page, then we concluded that the column number 3rd of the used table is the one which is used for displaying data of that table. So that column is vulnerable. An attacker can get many more information from the help of that column. e) Finding version, database, user: Let say if in step ‗b‘ the error appeared is related to SQL query and have mention the error message with database as MySQL, then according to MySQL : database(), version()/@@version, user() can be used for getting database, its version and currently login user name.Figure 2-URL query based attack For example: http://www.garo.cc/text.php?pageid=1 and unionc) Finding numbers of columns: select 1,2,database(),4,5 – With the help of simple and basic will give the database name on the front face of thatcommands of SQL we can exploit furthermore. web-page where ‗3‘ number is displayed.Put ‗order by n‘ at the end of the URL string. Where Similarly for getting version we have to write URL‗n‘ is the number from 1,2,3,4,5, ... and so on. as :Change the numbers until we get the error like http://www.garo.cc/text.php?pageid=1 and union‗Unknown column‘. The number on which you get select 1,2,database(),4,5 --the error, you make sure the number of column in the and for user information:table which is used in that query is previous one http://www.garo.cc/text.php?pageid=1 and unionwhich give no error. select 1,2,user(),4,5 –For eg: http://www.garo.cc/text.php?pageid=1 orderby 1 -- (no error) f) Finding the table name:http://www.garo.cc/text.php?pageid=1 order by 2 This is the very dangerous situation when-- (no error) for simply using MySQL‘s SQL commands, we canhttp://www.garo.cc/text.php?pageid=1 order by 3 get the tables used in that schema which is using in-- (no error) the web-site.http://www.garo.cc/text.php?pageid=1 order by 4 For example:-- (no error) http://www.garo.cc/text.php?pageid=1 and unionhttp://www.garo.cc/text.php?pageid=1 order by 5 select 1,2,group_concat(table_name),4,5 from-- (no error) information_schema.tables where table_schema =http://www.garo.cc/text.php?pageid=1 order by 6 database() ---- (unknow error) Say output of query is admin,garo_news,The error may occur when we put ‗order by 6‘, then garo_categories, etc.we must say that there are 5 columns in that table. Here attacker may take interest in ‗admin‘ table.d) Displaying the displayable/vulnerable Here an attacker has used various MySQL feature ascolumns: group_concat(table_name), it will concat all the For finding columns which is used to tables name in a string,display its values on web-page, we have to use information_schema.tables, it has stored all‗union select <column 1> ... ‗ information of tables which is used for the particularThe column which is displayable on the web-page is schema.automatically displays its sequence number in its 2395 | P a g e
  5. 5. Urvashi Sanadhya / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-august 2012, pp.2392-2398table_schema=database(), it is a where clause which also restricted to 15 characters only.takes only currently held schema. Definitely these restrictions may not allow any attacker to put long injected SQL in LOGIN fields.g) Finding the column name: Here also an attacker can take full use of d. Data-type conversion must be explicit:SQL commands of MySQL. In order to get column Always if required the datatype conversion must bename it gives URL as : of explicitly done before query execution.http://www.garo.cc/text.php?pageid=1 and union For example: If the username is of numeric type inselect group_concat(column_name) from database. But requirement of field( username) on theinformation_schema.columns WHERE LOGIN form is of string type. Then just before querytable_name=<The table name which we get from execution the username is explicitly converted intoprevious step> — numeric type then pass into query variables forHere also the output of the above URL execution further execution.would give all the column name in that particular This method just filters out any unwanted injectedtable.From here the attacker may peek into the data SQL.of that table, If he take ‗admin‘ table then probablyhe can get login information(username,passwordetc). e. Exception handling: The major flaws in developing the code is that it should not properly4. Prevention of SQL Injection handled for all type of errors. Each and every code From the previous section, we have seen must be properly handled for any type of exceptionthat there are various methods and types that are occurs.used by attacker to get modified SQL query Major SQL Injection Attackers rely on errors occurs.executed. They put some new idea and put it as a They are always waiting for responses occur whenvalid SQL they use full valid functionality of SQL any SQL or related query is injected. With the helpdatabase used and flaws of developers. of responses and errors they obtain much importantThe prevention methods for the above type of attack information as we have seen in previous chapters.are discussed as follows.Prevention for Login Authentication attack and URL f. Avoid ‘LIKE’ in query structure:based attack: Developer should avoid using ‗LIKE‘ in SQL code. As it gives attacker an ease to guess values and data.a. Reject BAD Input: For Eg: SELECT <column_name> FROM First thing is to sanitize the input before it emp_master WHERE name like %ADMIN%. Thegoes into the application for further query execution. attacker attempts to manipulate the SQL statement toIf the input is check before entering in application, execute as – SELECT <column_name> FROMthen the major part of prevention is done. So in emp_master WHERE name like %.general, the BAD input must be restricted. Above query will substitute the input string ADMIN to the query and will search for all the records thatb. Input Datatype: have input string anywhere in the name values. If the In the further series of sanitize input data, we attacker injects the string then he can get all thehave to check for the datatype of user ID – input sensitivedata.variable. Many web-application/database dependentapplication requires user_ID as a numeric field. Then g. System monitoring: A full time DBA canat those application must implement the user_ID monitor the suspicious query execution andfield to be always inputted as numeric values by transaction in the system. He might be monitoring orsetting the datatype as number type. It should restrict auditing sp_tracexxx files time to time.the input for the characters other than numbers only.For eg. SELECT <columns> from emp_master h. Only necessary grant and access arewhere userid=:user_id; Here :user_id is a numeric made for application account in database: If thetype variable which always allows only numeric type application running with database administrator‘sinput data. account then it has potential for an attacker toSo no one can write or inject SQL code in those perform crucial commands with database. He canfields. then able to inject many operating system level commands to explore hard disk of server.c. Input length Similarly if possible where ever only SELECT rightsIt is wiser to set the input length of input are granted would be only granted. This will greatlyfield/variable‘s length. It always restrict the input helpful to restrict injected transaction or other SQLparameters/variables to of fixed length and restrict in system.the attacker too for injecting unusual SQL.For eg. User_ID can be put to maximum 20 i. Update Server by applying time-to-timecharacters. Also the Password field‘s length must patches: It will avoid buffer overflow. Many 2396 | P a g e
  6. 6. Urvashi Sanadhya / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-august 2012, pp.2392-2398attackers if access systems call then using system b. Escaping all encoding in query execution:calls they make buffer overflow condition. These can If SQL keywords are escaped before querybe avoided by applying patches and keep server application, then the attackers put the encodingupdate. method for injecting SQL in legitimate query. Since simple keywords can be caught then the attackersj. Using Parameterised Queries: Many other make their ascii code and put the encoding alongpeople may suggest it to prevent SQL Injection with as injected SQL.attack while LOGIN. In this type, the query is passedin prepared statements where it is executed using Also for an example:procedure call. This is standard procedure call which ‗; INSERTis much trusted. INTOemp_masterVALUES(101,char(0x68)+char(0x 61)+char(0x82)+char(0x64)+char(0x70)); --can5. Algorithm of Proposed Solution insert an attacker‘s oriented user.a. Escaping keywords, quotes and So if char,hex,ascii etc encoding arecomments: In most of the SQL injection attacks, detected in input and then the good input is allow toattacker uses the SQL keywords, quotes and pass in query for execution, then the effort ofcomments in the SQL query and makes the final attacker got waste. For this an algorithm is developedquery as infected. The SQL keywords, quotes and and coded in a procedure. In which differentcomments are legal and are unsuspected, so the encodings are detected and prevent the infected dataattacker make use of them. for further execution in query.So before query execution the input variables must The procedure which can detect different encoding isbe sanitize by an procedure which can detect SQL as follows:keywords, quotes and comments.For eg:username field is given as ‘ ; DROP TABLE procedureis_encoded_field(v_input_fieldvarchar)emp_master; -- begin declareThe legitimate query becomes: v_checkvarchar;SELECT <column_name> FROM emp_master beginWHERE name=‘‘ ;DROP TABLEemp_master; -- ‗ if (v_input_field inand password=‘‘; (‗CHAR‘,‘ASCII‘,‘HEX‘,‘NUMBER‘,‘(‘,‘)‘)) thenThe above query is too much dangerous, since it can v_check=‘TRUE‘;delete the LOGIN table as well as user_information elsetable. So before this variable is set into the query for v_check=‘FALSE‘;further execution. An algorithm of a procedure which end if;can detect SQL keywords, comments, is developed if v_check=‘TRUE‘ thenas follows: message(‗Retry entries.‘); (terminate the process/action and clear the login formprocedureis_validate_field(v_input_fieldvarchar) and go to first field.);begin endif; declare end; v_checkvarchar; end procedure is_encoded_field; begin if (v_input_field in c. Applying Encrypted data technique:(‗SELECT‘,‘INSERT‘,‘DELETE‘,‘UPDATE‘,‘MER For LOGIN form, there are two fields: 1. UsernameGE‘,‘SHUTDOWN‘,‘DROP‘,‘ALTER‘,‘CREATE‘,‘ 2. Password.WHERE‘,‘AND‘,‘OR‘,‘EXEC‘,‘ORDER But for LOGIN/sign in one should be a registeredBY‘,‘UNION‘,‘GROUP BY‘,‘HAVINH‘,‘/‘,‘--‘)) member. Here in the technique when user registerthen himself then server receives request from user and v_check=‘TRUE‘; register as a new user. This is maintain in a user else information table. For eg.we take that table as v_check=‘FALSE‘; ‗emp_master‘. The table contains three fields, 1. end if; Username 2.Password 3.Encrypted key. if v_check=‘TRUE‘ then Here the ‗Encrypted key‘ is generated by system and message(‗Retry entries.‘); must be unique for all registered users.(terminate the process/action and clear the login form This ‗Encrypted key‘ is generated and saved in tableand go to first field.); at the time of user registration and use the ‗username endif; and password‘ field in its forming, its formation is end; initiated through calling a function:end procedure is_validate_field; For example: At the time of user registration, the following insert query is execute for inserting new 2397 | P a g e
  7. 7. Urvashi Sanadhya / International Journal of Engineering Research and Applications (IJERA) ISSN: 2248-9622 www.ijera.com Vol. 2, Issue4, July-august 2012, pp.2392-2398user. different techniqueswhen they are subjected to realINSERT INTO world attacks andvalidinputs.emp_masterVALUES(‘RAM‘,‘ram_password‘,function_en_key(‗RAM‘,‘ram_password‘)); REFERENCESHere ‗function_en_key‘ is a function which [1] Advanced SQL Injection in SQL Servergenerates ‗Encrypted key‘. The function‘s algorithm Applicationsis as follows: [2] SQL Injection Attack and Defensechar function_en_key(:username, :password) PacketSource Security White Papersbegin declarev_enc_keyvarchar; begin v_enc_key [3] Useful stuff_ SQL-Injection Attacks on the:= any_encryption_technique(:username||:password); example RETURN(v_enc_key); [4] SQL Injection Cheat Sheet end; [5] An Authentication Mechanism to preventend function_en_key; SQL Injection Attacks [6] Lateral SQL Injection Revisited Final (1)At the time of user login or sign in, username and [7] SQL Injection Signature Evasionpassword should be matched with the username and Whitepaperpassword in table stored in server, along with the [8] Data-Mining with SQL Injection and‗Encrypted key‘ which is also resides in the table. InferenceIf comparison is successful then the user is allow to [9] Steve Fried‘s Unixwiz.net Tech TipsLogin into the application otherwise make him retry. [10] Prevent SQL Injection in Asp.netThe comparison procedure is as follows: [11] Prevent SQL Injection in Asp.net-- :username and :password are user supplied fields. [12] Robert J. Hansen MeredithL.Pattersonprocedureis_encoded_field(:username, :password) [13] SQL injection Attacks and Defensebegin declare v_checkvarchar; begin [14] An Authentication Mechanism against SELECT ‗x‘ INTO v_check SQL InjectionFROM emp_master WHEREencrypted_key=function_en_key(:username,:password) and name=:username andpassword=:password; (exception handling) if (v_check = ‗x‘) then message(‗Successfullogin‘); else message(‗Try again.‘);(terminate the process/action and clear the login formand go to first field.);end if; end;end procedure is_encoded_field;6. Conclusion and Future work In this paper, we have described a briefstudy of SQL injection as well as a solutionforpreventing SQLInjection Attacks. To perform thisassessment firstly identified the detection of SQLInjection vulnerability. SQLInjection Attacks can beintroduced into anapplication and identified whichmethod was able to hold which mechanism. Lot ofthe techniques have trouble handling attacks thatacquire advantage of poorlycodedstored proceduresand SQL queries cannot handleattacks. This variationcould be clarified by the detailthat focused onPrevention of sql injection. Future work should focus on optimized andevaluating thetechniques correctness and usefulnessin practice. Practicalestimation will be performingwhich permitcomparing the performance of the 2398 | P a g e