Method of protection of database management systems against sql-identifier injection attacks

Abstract

The article reviews SQL injection and SQL identifier injection attacks in database management systems, identifies their nature, the threats they pose, and the types of these attacks. A new method of protecting database management systems from SQL identifier injection attacks is also covered. Proposed solution are functions that can be added to the prepared API statements: setColumnName: uses the column name and its index as arguments and setTableName: uses the table name and its index as arguments. This method allows you to prepare operators to fill placeholders with table and column names, prevents SQL-IDIA, does not skip schema information, has no restrictions on input-based sanitation approaches. These two features help prevent database management systems from leaking confidential database information by performing a default operation when the input column or table name does not exist in the database. For example, if a column name is used in a particular function and the column name is invalid, the database management system will sort the results by the first column of the table. Only the table and column names in our advanced API were examined, as GitHub analysis showed that 96% of concatenated IDs were table and column names. In all experiments, the new setColumnName feature surpassed the implementation of dynamic whitelisting. In two experiments, the implementation of a static whitelist slightly exceeded the name function of the new set of columns. Although this special approach has little performance advantage, whitelisting approaches can add non-trivial complexity to program code and lead to erroneous results. The new setColumnName feature has successfully prevented all these attacks. Filling placeholders with column names is practical and effective compared to existing special approaches, does not create additional costs compared to the existing functions of the trained operator, and is effective against SQL identifier injection attack.