Provably throttling SQLI using an enciphering query and secure matching

Abstract

Web applications, which dominate the internet, act as communication media between customers and service providers. Web applications are an internet innovation that provide customer services such as e-banking, e-commerce and e-booking. Developing web applications has become increasingly complicated because of security threats and service issues that involve valuable information. Attack methods such as structured query language (SQL) injection insert malicious code within user input data requests to gain unauthorised access, and then the attacker targets a database to manipulate information. In this paper, we propose a prevention method against SQL injection attacks through cryptography and searchable encryption. The proposed method uses a cryptography technique to encrypt all database information, where each piece of user information is encrypted with a separate key. The rest of the database information is ciphered with secret keys, and a searchable encryption technique is used for other database operations to preserve privacy. The login process compares the ciphered username from the database and user entry to authenticate the user. The proposed method is implemented on the PHP and MySQL databases, which are open-source applications. The results show efficient prevention of SQL injection, and the database remains protected against SQL injection attacks