Sie sind auf Seite 1von 5

International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013

ISSN: 2231-2803http://www.ijcttjournal.org Page 2782




An Application to prevent SQL Injection Attacks
using Randomized Encryption Algorithm
Pravallika Thatavarthi
#1
, BetamSuresh
*2
1
pursuing M.Tech(CSE) from Vikas Group of Institutions (Mother Teresa Educational Society Group of Institutions),
Nunna, Vijayawada, Affiliated to JNTU-Kakinada, A.P., India.
2
working as an HOD Department of Computer science Engineering at Vikas Group of Institutions (Mother Teresa
Educational Society Group of Institutions), Nunna, Vijayawada, Affiliated to JNTU-Kakinada, A.P., India.





Abstract- By the advanced usage of web, numbers of data we are
fetched from anywhere within a minute. So by that way it is very
beneficial to us but with the beneficial some issues are there so
now we are discussed about that issues. The issues are security of
data from the hackers or unauthorized users who change,
corrupt, delete or access the data from the web, for handle these
issues the developers who develop the website, they used some
algorithm by which the data change in encrypted form either
from the safety of the hackers we also use the some algorithm at
the time of inserting username and password due to that the
username and password become encrypted and then they send
through url, so the data will be safe. In this paper we discussed
about the security of data from the hackers so for that we used
the Random Encryption for encrypting the data or username and
password and also we use this concept for the RTA process. In
which the users request for the number plate number for the
vehicle with his/her favorite digits.

I-INTRODUCTION

Numbers of reports told that the web application attack
becomes increases day by day So for, it is very important to
have awareness about the existing attacks, because attacks
such as phishing, , denial of service attacks have become very
common. The most basic attacks are Phishing and Email
spamming. Phishing was a term originally used to describe
email attacks that were designed to steal your online banking
username and password. However, the termhas evolved and
now refers to almost any email-based attack. Phishing uses
social engineering, a technique where cyber attackers attempt
to fool you into taking an action. These attacks often begin
with a cyber criminal sending you an email pretending to be
fromsomeone or something you know or trust, such as a
friend, your bank or your favorite online store. These emails
then entice you into taking an action, such as clicking on a
link, opening an attachment or responding to a message.
Cyber criminals craft these emails to look convincing, sending
themout to literally millions of people around the world. The
criminals do not have a specific target in mind, nor do they
know exactly who will fall victim. They simply know the
more emails they send out, the more people they may be able
to fool . Hence there is a need that everyone has basic
awareness about web security. Most of the malicious or secure
process is going on web at that point the attackers attack and
take all the precious data which is required for us and this type
of hacking is known as SQL Injection. SQL Injection is one of
the many web attack mechanisms used by hackers to steal data
fromorganizations. It is perhaps one of the most common
application layer attack techniques used today. It is the type of
attack that takes advantage of improper coding of your web
applications that allows hacker to inject SQL commands into
say a login formto allow themto gain access to the data held
within your database. SQL Injection is the hacking technique
which attempts to pass SQL commands (statements) through a
web application for execution by the backend database. If not
sanitized properly, web applications may result in SQL
Injection attacks that allow hackers to view information from
the database and/or even wipe it out. Such features as login
pages, support and product request forms, feedback forms,
search pages, shopping carts and the general delivery of
dynamic content, shape modern websites and provide
businesses with the means necessary to communicate with
prospects and customers. These website features are all
examples of web applications which may be either purchased
off-the-shelf or developed as bespoke programs. In essence,
SQL Injection arises because the fields available for user input
allow SQL statements to pass through and query the database
directly. SQL Injection is the hacking technique which
attempts to pass SQL commands (statements) through a web
application for execution by the backend database. If not
sanitized properly, web applications may result in SQL
Injection attacks that allow hackers to view information from
the database and/or even wipe it out. Such features as login
pages, support and product request forms, feedback forms,
search pages, shopping carts and the general delivery of
dynamic content, shape modern websites and provide
businesses with the means necessary to communicate with
prospects and customers. These website features are all
International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013
ISSN: 2231-2803http://www.ijcttjournal.org Page 2783

examples of web applications which may be either purchased
off-the-shelf or developed as bespoke programs.

Fig1:SQL Injection

Let we take an example and explain the sql injection, a user
insert his username and password to the website and submit
them at that moment when the data sends through the url it
hack that data and indirectly connected to that bank or website
by which u are interacting and after that whatever u transit it
just transfer to that hacker either after of that it takes all the
money from the bank by your original name and password, by
that way the SQL process is working.
II-ARTITECTURE
The SQL injection is mainly attack on 3-tier artitecture in
which three labels of layers are there which are as follows:

Fig2: 3-Tier Architecture

Client Tier: The client tier means the presentation layer, this
layer is the main layer for the transaction because the person
who transact the process is interacted by that layer only.this
layer is only the GUI by which the users interacted by another
one. The user who interacted to the GUI doesnt have any
knowledge about the coding part and it may be possible it
does not known about the SQL injection. In this layer the user
only gives input and view the output to his transaction, the
user control the outer controlling by the GUI.
Generally, the goal of human-machine interaction engineering
is to produce a user interface which makes it easy, efficient,
and enjoyable to operate a machine in the way which produces
the desired result. This generally means that the operator
needs to provide minimal input to achieve the desired output,
and also that the machine minimizes undesired outputs to the
human.
Bussiness Tier: Business Tier means all the logical code
which are used for the sending and accepting the data fromthe
other user or transaction from any other where so this is called
the business tier. It can be changeable or variable because
different types of users are trasact the process from the
different ways .The Bussiness tier is worked on MVC model,
MVC model means model-view control ,model means the
data access layer, view means presentation layer or Gui for
presenting the data on that layer we use jsp or servlet,
control means the the database connection code which
control the data access fromthe database.
A controller can send commands to its associated view to
change the view's presentation of the model (e.g., by scrolling
International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013
ISSN: 2231-2803http://www.ijcttjournal.org Page 2784


through a document). It can also send commands to the model
to update the model's state (e.g., editing a document).
A model notifies its associated views and controllers when
there has been a change in its state. This notification allows
the views to produce updated output, and the controllers to
change the available set of commands.
A passive implementation of MVC omits these notifications,
because the application does not require themor the software
platformdoes not support them.
A view requests from the model the information that it needs
to generate an output representation to the user.

Database Tier: The Database Tier access all the data from the
database and sends to the controller and controller send that
data to the required place, In database tier it creates one object
and by that object it communicate with everyone data. The
database tier stores and retrieves data. Its also responsible for
managing updates, allowing simultaneous (concurrent) access
fromweb servers, providing security, ensuring the integrity of
data, and providing support services such as data backup.
Importantly, a good database tier must allow quick and
flexible access to millions upon millions of facts. Managing
data in the database tier requires complex software.
Fortunately, most database management systems (DBMSs) or
servers are designed so that the software complexities are
hidden. To effectively use a database server, skills are
required to design a database and formulate queries using the
SQL language. An understanding of the underlying
architecture of the database server is unimportant to most
users.

III- PROPOSED SYSTEM
In the proposed systemwe use two additional concepts as on
previous system the first is client side validation and the
second one is randomized algorithms for encrypt the username
and password of the users. Now we are explained both
concepts one by one.
1) Client Side Validation: Client side validation means we use
the different concept to validate the user from the database for
that the unauthorized user do not handle the data and the data
will be secure. we use the different type of schemes for
validating the data.when the user insert his username and
password then we compare this by the database if both are
same then it access the data for the more secureness we
encrypted the data when he/she gives the username and
password to the fields then its passes through the url and after
that when comparison is there at that moment firstly decrypt
the username and password then compare both to each other if
accepted then it is working otherwise it send one message that
invalid userplease try again . Some times we use the capcha
half part of captcha user have and half servevr when the user
wants to access the data at that moment he/she send the half
part of captcha to the server both are joined together and
compare with the database username, password and captcha .
If everything is fine only then he/she is able to access the data.

Fig3: client side validation
2) Random4 algorithm
The Random4 algorithmis a algorithm which is mainly
worked on cryptography. Crptography means the plain text is
converted into cheaper text, plain text means the normal text
which we are using for doing process and cheaper text means
the data which are converted into some encrypted form, which
is not readable if it is not decrypted. Random4 algorithm used
the concept of encryption for encrypt the data by which we are
secure fromthe hackers and unauthorized users. In random4
there is not a confirmation that every time the same
encryption will come so for that it is called so. By the below
table we explain that how the algorithm is worked. we are
compare the data fromthe table if both are equal then we go
through the that value and it is continue upto the last word of
username and password. a permanent sequence is there by
which we are randomly access the data from the table and on
this concept the randomalgorithmis worked.
The simple encryption is used to prevent the data fromthe
hackers and decryption is used for decrypt the data to validate
the user that the user who give the username and password is
the valid user or not.


1 R1 R2 R3 R4
b

n 1 X W
Z % K ( .
International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013
ISSN: 2231-2803http://www.ijcttjournal.org Page 2785


D _ , u 0
K M 6 c q
0 x v g
7 j r I a
O ( a 8 0

A framework to build the tool generating the encrypted text
based on Random4 is shown in Fig. A normal text is given as
input . Each input character is mapped to one of its four values
as in the lookup table. The key values of each character are
concatenated to formthe cipher text.

ALGORITHM:-

Input: input String ip[]
Output: Encrypted String en[]
N: length of ip[]
R: Randomvalues of character
For i=1 to N
If(ip[i+1]=null || ip[i+1]=lowercase)
Then en[i] =R[1]
End {if}
else if(ip[i+1]=uppercase)
then en[i]=R[2]
end{else if}
else if(ip[i+1]=spl.char)
then en[i]=R[4]
end{else if}
end{for}
Return en[]

using Random4 algorithmand the encryption logic is also
application specific, it is highly difficult and time consuming
for decryption and deploy an attack. By the help of
randomized algorithms we prevent 80% access or hack the
data fromthe security it is very helpful application for the
security of our data. mostly in web application these types of
security is used where a large amount of users are kept our
security or register yourself for store or access the data from
the database. By using of randomized algorithm when we
login into the website at that moment we encrypt the username
and password and then pass the username and password
through the URL by which no one can able to hack the
original data or username and password and lastly we decrypt
the data when we compare the username and password from
the database for login the user into the database.

Lastly we also implement the RTA plans for our
application in which we can generate the number plate for the
vehicles.firstly for that we must choose the numeric number
and our favorite alphabet and other on the depend of this we
generate one number for the vehicle and also registration
module is also there.


IV- CONCLUSION

In the world of web the hacking of data, theft of data, alter of
data is the very basics things , the main problemis SQL
Injection in which the hackers hacks your data indirectly
means when you insert your username and password and
submit the button then your data will be send through the url
and at that moment it receives your data(username and
password) and by the use of that it corrupt, modify, delete in
case of data if money is there so he transact all the money
fromyour account. So for prevent by this problem we used the
Random4 algorithm to secure the data fromthe hackers.the
SQL injection is of different type one is email snoofing,in
which its insert into your mail and take all the necessary
information fromyour mail.
We also worked on RTA process in which the user
registered ourself to take the number plate on its choice after
login the user choose the favourite number for its number
plate on two, three four digits after 3 days it generate the
number to the user who requested for the number. this is the
easy way to take the number for the vehicle on per our choice.




REFERENCES


J eom-Goo KimInjection Attack Detection using the Removal
of SQL Query Attribute Values.

R.Ezumalai, G.Aghila Combinatorial Approach for preventing
SQL Injection Attacks.

The open Web Application Security Project, OWASP TOP 10
project, http://www.owasp.org

International Journal of Computer Trends and Technology (IJCTT) volume4Issue8August 2013
ISSN: 2231-2803http://www.ijcttjournal.org Page 2786


NTAGWABIRA Lambert, KANG Song Lin Use of Query
Tokenisation to detect and prevent SQL injection Attacks.

MeiJunjin An Approach for SQL injection vulnerability
detection.

Diallo Abdoulaye Kindy, Al-sakib Khan pathan A Survey On
SQL Injection: Vulnerabilities, Attacks and Prevention
techniques.
https://www.whitehatsec.com/resource/stats.ht

Seckin Anil Unlu, Kemal Bicakci NoTabNab: Protection
against The Tabnabbing Attack

Tajpour, A., Massrum, M., Heydari, M.Z. Comparison of SQL
injection detection and prevention Techniques.


AUTHORS PROFILE


pravallika thatavarthi
Pursuing M.Tech(CSE) Vikas
Group of Institutions (Mother
Teresa Educational Society
Group of Institutions),
Nunna, Vijayawada,
Affiliated to JNTU-Kakinada,
A.P., India.


Betam Suresh, is
working as an HOD,
Department of Computer
science Engineering at
Vikas Group of Institutions
(Mother Teresa Educational
Society Group of
Institutions), Nunna,
Vijayawada, Affiliated to
JNTU-Kakinada, A.P.,
India.