A taxonomy of SQL Injection Attacks

Nowadays web applications play an important role in online business including social networks, online services, banking, shopping, classes, email and etc. Ease of use and access to web application make them more popular in offering online services instead of in person services. a simple user just need a computer and an internet connection to access web application and use online services provided by that application. There is one core in common between all dynamic web application and that is their need to use a database to store information inside that and retrieve that information upon the user request or add, edit and delete them. Among all database types, rational databases are very popular. Most of relational database management systems such as MySQL, Oracle, MS SQL Server, MS Access, Postgres use SQL as their language. Flexibility of SQL makes it a powerful language. It allows the user to ask what information he wants without having any knowledge about how the information will be fetch. However vast use of SQL based databases make it the center of attention of hackers. SQL injection attack is a well-known security threat to database driven web applications. A successful SQL injection attack reveals critical confidential information to the hacker. In this paper first we provided background information on this vulnerability. Next we present a comprehensive review of different types of SQL injection attack. For each attack we provide an example that shows how the attack launches. Finally we propose the best solution at development phase to defeat SQL injection and conclusion.