Category Archives: Project

Project involve

Assignment – Database – SQL Injection in Web Application System

SQL Injection in Web Application System

Ahmed Noor Kader Mustajir Md Eusoff

Faculty of Information Management

Universiti Teknologi MARA

Abstract:  SQL injection has been major issues and problem to the web developer that developed web base application and website. Some of the problem can be avoid if the administrator aware of the security holes in their SQL statement and they fixed the vulnerabilities before being manipulate by the hacker or attacker to gain access to modify the system information. These attacks have made the organization loss millions and also the effort done and also their integrity to the client. Counter measurement have been propose to reduce the attack even cannot totally stop and hold the attack because of the flaw in the system. Every database system have flaw and SQL statement can be manipulate to inject the malicious code and Trojan into the system.

Keyword: SQL, SQL Injection, SQL Statement, Web Application System, Vulnerability.


Structured Query Language (SQL) is the typical language that used to correspond with a relational database. This prototype was initially developed by IBM with Dr. E.F. Codd’s paper title A Relational Model of Data for Large Shared Data Banks as a model.  Its coverage data query and update, schema creation and modification and also data access control. SQL is definite any of two ways, as the letters S Q L, or “sequel”. Both intonations are tolerable, though most skilled SQL user is likely to use the second intonation, according to Plew & Stephens (2002).

SQL is a regular language for right of entry and manipulate database furthermore it can execute queries, retrieve, insert records, update records , delete records, create new databases, create views, create new tables, can set permissions on tables, procedures, and views in addition create stored procedures. SQL have been accepted by American National Standards Institute (ANSI) as a standard and also accepted by International Standards Organization (ISO) in 1987. SQL was implemented in SEQUEL-XRM; IBM prototype in the mid 70’s and then a division of the language employ in the IBM’s System-R. ORACLE became the first commercial Database Management System (DBMS) that have SQL and other commercial product also followed the ORACLE step like SQL/DS, DB2, SYBASE, UNIFY, DG/SQL, INTERBASE and INFORMIX. These trends have made the SQL become the standard for the DBMS or de facto standard, Calero et al (2006)

SQL standard revised in 1989 which few improvement have been made like the referential integrity and SQL2 or SQL-92 published by ISO, complemented after few years later. Calero et al (2006) & Plew & Stephens (2002) state that SQL3 or SQL: 1999 included features object-oriented capabilities, sensitive cursor, user roles, tables’ generalization, recursive query operator and user defined data types. The revised SQL: 2003 version also included new basic data type (multiset, XML, bigint), SQL/XML, extension to make the CREATE TABLE statement, a new MERGE statement and two new sorts of columns (generated and identify). SQL: 2006 revised and included ways of importing, storing and manipulating XML data in the database. The latest revised SQL standard; SQL: 2008 have the features trigger INSTEAD OF, TRUNCATE statement and ORDER BY. The revised have made the SQL function enhanced from time to time according to the needs of the current situation and future.

SQL Implementation

There is lots of application that information stored in the database there is a deficient in test adequacy criteria and test case design procedure specifically design for database program. Mutation approach is another way for SQL queries use as corresponding help for the tester to developing test cases or the base to test automation tools. SQL would be very useful tools for systematically injecting faults in the queries and use these faulty to analysis the effectiveness base on the studies by Tuya, Suarez-Cabal & Riva (2007). These can guidance on test case generation and comparing different assessment for database application.

Libkin (2003) insist that SQL: 2003 have various features which can differentiate from relational algebra which the aggregate function, grouping and arithmetic. Aggregate function is where the command uses to compute like average in a column, others aggregates are MAX, MIN, SUM, AVG and COUNT. Grouping can group the data into values of different attribute and arithmetic allows SQL to apply arithmetic operations into numerical values.

Brass & Goldberg (2006) has investigate classes of SQL queries that syntactically true or correct can be providing unintended result which produce semantic errors. There is a different between syntactic error and semantic errors, whereby syntactic error is in situation the character string entered is not valid SQL statement. Semantic error is the SQL query being done but the result of the query did not produce the wanted result. The result of the query may produce information that may reduce optimization that required by the user.

SQL Injection

Kost (2007) found that majority of application developer underestimate the SQL injection attack. The application developers did not aware or understand the SQL injection attacks. SQL injection vulnerabilities can be done remotely without any application or database authentication because the attacks are simple and easy to execute.SQL have lots of advantages and also have deficiency whereby can affect the performance of the database furthermore the system itself. SQL attack included code injection, SQL manipulation, buffer overflows and function call injection. SQL manipulation is whereby the modification of the SQL statement like operation UNION or WHERE clause to output the unintended result. Code injection or SQL injection where the new SQL statement being inserted into the SQL statement and only worked when multiple SQL statement per database requested supported by the server and these two attack are the common describe attack.

“SQL Slammer” was the worms that infect Microsoft Desktop Engine (MSDE) and Microsoft SQL Server 2000 which exploit the server and cause buffer overflow and cause denial of service attack (DDOS). Hilley (2003) state Slammer worms attack port 1434 and have affected many ISP and organizations in the world. Like the event when one of the sport event website have been infected by malware that infected the Internet Explorer user that do not have Vector Markup Language (VML) patch with Trojan who visit the website. The hackers exploit the website by injecting the SQL injection vulnerability (SQLIVS) because of the auto generated code by Dreamweaver, Ullrich & Lam (2008). The auto generated code generated by the Dreamweaver also affected the JSP, PHP and ASP where the exposure allowed the attacker to insert SQL injection into the website. The attackers use the SQL injection to alter the information or data of the database and this leads to website defacement. Website defacement is where the attacker attacks the website by altering the visual look of the website and although these attack are harmless but it tarnish the organization image. Some of the website defacement being included Trojan or malware in the server and will attack the user who use or visit the website. These attacks have cost million of lost to the company and user because of the downtime by the server and website. The maintaining need to be done fast and the error need to be troubleshoot again and again to reduced the attack so the server live again to be use. The organization need to accountable for the attack and admit the mistake because of poor maintaining and administration of the system.

According to Gollmann (2008) in the year 2006, SQL injection attack rank number two and these vulnerabilities have attack many major website like MySpace and Gmail. These vulnerabilities being categorize into three categories which naïve execution model, circumvention of the same origin policy and inadequate handling of malicious inputs. The attacks exploit the vulnerabilities at the interface between the backend database server and web server.  Note to reduce the attack can be done by changing the execution model which the primary or roots of the problem. The SQL queries being constructed before input by the user added. Using bound parameter, the query being compile first with placeholder then on the execution of the compiled script will be replace by the actual user input. Stored procedure or lists of parameter sometimes is the alternative ways to avoid the SQL injection but the there will be occur problem at the server backend. The error messages that appear in the system purposely is to help the developer of the system but it also reveal some of the valuable information and structure design of the system of the database to the potential attacker. The reveal information can be use for the attacker to gain more access since of the expose of their system specification and the attacker just need to dig more information from the internet for the security flaws or based on their knowledge from previous experience.

A paper by Thomas, Williams & Xie (2009) stated that 10% reported of total virtual or cyber vulnerabilities were SQL injection vulnerabilities (SQLIVS).  The SQL injection is present when an SQL statement did not keep the input separate and statement structure. The statement input during the runtime send by the application combined with the statement and structure to the database will done the modification to the database data and also structure. They have provided solution to SQL injection by using a prepared statement replacement algorithm to remove the vulnerabilities. PSR-algorithm has removed the threat of SQL injection by moving the minimal manual intervention and does not need to be integrated into the runtime environment system which unlike the other which requires to be integrated to provide solution. The prepared statement generated code produce the same queries for standard data as the original. This PSQ-Algorithm can expand in the future for other solutions and others language as well and also as a technique of implementing the prepared statement to replace the algorithm. These prepared statement reduce the attack but the system administrator need to analyze and make sure the prepared statement will not be use by the attacker and also burden the backend server that contain the database. If the backend server process more than it could the other problem will occur like server overload and might need to reboot or the system hang.

But in the article by Kardkovacs & Tikk (2007) stated that ISA-algorithm did not mind about the uncertainty while transformation procedure is not unsuccessful. It’s creating any possible solution base on the knowledge base that acquired. Whereby if the transformation succeed there will be well formed query result and if not succeed, the query will produced no real uncertainty since there were no substitute to be presented. The algorithm proposed by the author cannot solve expression with symbolic sense or wider, term which assume deeper human knowledge, derivatives of predicate verbs and idiomatic expressions. The most common form of SQL injection attack (SQLIAs) was incorrectly passed parameters, incorrect type handling and incorrectly filtered quotation characters. The attack include the code injection attack whereby the technique input the code into a computer system or program and exploits the vulnerabilities, Mitropoulos & Spenellis (2009). These actions can make the hacker or other user viewing the sensitive data, modified and also destroy the data which also can crash the system. The data destroy by the attacker might be data that valuable to the organization like the client data, organization private information and other which losing the data might threaten the organization to run their business also the trust from their client and potential client for their business.

Morgan (2006) stated that to secure database from SQL injection attack couple preventive measurement can be done to reduce the attack. The counter measurement is by limit the SQL server running with minimal privileges’ access for example not as SYSTEM or as administrator, lock down the SQL server, restrict the SQL server‘s from accessing the file system and the cmd.exe command, only allowed the web application to perform actions from the stored procedure which help to sanity checking the query to prevent the SQL injection, implementing effective parameter validation where its rejecting any query that contain bad parameter and implement effective network level access control. The preventive measurement cannot clean out the SQL attack but it just to reduce the attack and if there were an attack the system administrator must check back their system especially the SQL parameter in their system. The limited access among the best procedure to be taken seriously because it help to prevent the attacker to access another system if there were more than one system in the server. The attacker cannot access the other system because of the limited access and the other systems are not vulnerable to the hacker or attacker.

A research by Huang et al (2003) focus on the SQL injection and cross site scripting vulnerabilities in the research because both of the component exist in many web application or website and the detection and avoidance still considered as difficult for the system administrator. Black-box approach chosen by the researcher to analyze web base application externally without needing the source code (white-box approach) where the white-box used goes together with black-box. Black-box approach tools can perform the analysis and identifying vulnerable sites very rapidly.  To use the tools for SQL injection fault, a reverse engineering must be done first to discover all data entry points. Once the reverse engineering process was done, an attempt to inject the system database with malicious SQL pattern into the server-side program as to manipulate perform of the process of user input to determine the pattern.  It was found that few testing can be done for web application analysis security test like extracting the syntax and semantic input field, indentifying data entry point, injecting malicious SQL injection pattern to test the system, generate valid data for input field, formatting and sending HTTP request and analyzing the replies and most important things is monitor the browser behavior when it perform active content delivered by the web application. The system administrator can look into the system log and can use web analyzer application included in the server. These logs provide the system activity of the server and record the user activity for the use of the administrator as crucial information or tracking the activities of the system and server.

Prevention of SQL Injection

The query from the application is recognized through by combining the characteristic like the method invocation stack race where the query carry out down to the target method, the table and fields that query uses to retrieve the result and the SQL keyword. Combining these three characteristic create a signature to identified the SQL injection. These characteristic make the query sent to the database will be narrow piece down the query and remove the number and also string literals. SDriver is prototype applications that use to prevent SQL injection attack to the web base application. The function of SDriver can associate queries with the website and stored the signatures which the previous stored query to avoid bogus results, Mitropoulos & Spenellis (2009). SDiver provided for free because the code were release under the open source license which enable other user to use it for free and also the user can modified or customize it according to the need and requirement of the user system.  These modifications will fulfill the system needs and help the system administrator to maintain the system more efficient and help the organization functionality with the system.

Fallon, Llewellyn & Smith (2008) stated that in ORACLE have introduced new notation that contained value placeholder and name place holder. Few rules have formed for prevent SQL injection; SQL statement declared as constant and assigning the values for transitional query result. Nested block-statement sometimes needed so the code review easier because the readable by the reader The administrator must understand by SQL syntax template term and know how to differentiate a dynamic SQL syntax as well as static SQL syntax. Defining SQL injection as the implementation of SQL statement with an unintended SQL syntax because every SQL statement executed using dynamic SQL syntax is possible to be exposed to SQL injection. The client must not have direct access to the system but via SQL API also know as control privileges where help limit the attacker access to other system. Design of the system must made thoroughly and the rational of every SQL statement included value placeholder in SQL syntax template where both dynamic SQL and static SQL template. Also use simple name placeholder in the SQL syntax template. Created and use of the ORACLE supplied API’s where designed to execute the SQL statement. The API’s helps the administrator in maintaining the security of the database. These known API’s has advantages because have been burns test by the developer before being release and any update or error the developer will notice the administrator for their action.

SQL injection attack can be reduced by just making programming changes as proposed by Kost (2007). Among idea were bind variable, input validation, function security and error messages. Bind variable where the application coding should be bind in all SQL statement and never concatenating together the string and passed parameter. This bind variable must be use for every SQL statement executed by the web application although this bind variable will added extra line in the coding but as security this won not be matter to the developer. Input validation make every string parameter that passed will be validated. If the system did not use bind variable, special database of character will be remove before send to process the query. SQL injection attack also is done by using the standard and custom database function that have in the application system like by default grant the access to the public. Error message that exist during the execution can be use by the attacker to gain knowledge about the web application itself. Relatively produced the error to the user its advisable the error message produced in the error log where the access to the log only can be gain only by the administrator only.


SQL is very useful in manipulating the data in the database system to retrieve information that require by the user. The manipulating is very useful but certain people especially the attacker or hacker use the vulnerability to take advantages of the web base application for their interest. They use SQL injection attack to extract confidential information or make modification to the database which leads to loss to the organization. Many have reported that the attack have made them lost of millions of money and also the effort made by them. Few counter measurements must be made to reduce even it hard to stop fully the SQL injection attack like use the SQL stored procedure or lists of parameter sometimes is the alternative ways to avoid the SQL injection, hidden the error messages to the user and most crucial is when designing the web application system, everything must took into consideration whether the SQL statement use, bound statement syntax and other things. Usually the system administrator overlook because did not done the analysis thoroughly and look as whole of the system. In ORACLE for example have API’s that help the administrator in designing and embedded it into their system for security. The API’s prevent the user from accessing the system directly by filtering by another application. SQL injection attacks have made lots of lost in money, effort and corporate image or trust to the organization. Even big company including antivirus developer website have these problem and have tarnish their image in where their product purposely developed to stop the attacker but their system being attacked.

Notice From Mercumaya – Gumblar Attacks

Safeguarding your website from Gumblar Attacks

Over the past few weeks, several websites hosted on our Linux Servers threw up virus alerts. Further investigation revealed that these alerts were triggered by an injection attack on packages hosted on our servers, commonly known as Gumblar Attacks. FTP logs of these infected packages indicated that machines of the customers who own those domains were compromised and had been used to upload malicious content to their respective Hosting Packages. A few pointers for your benefit:

What is a Gumblar Attack?

Gumblar appears to be a combination of exploit scripts and malware. The scripts are embedded in .html, .js and .php files using obfuscated Javascript. They load malware content from Third Party sites without the user’s knowledge, while also stealing FTP credentials from the victim’s computer, which then allows it to spread and infect additional sites. Therefore, when someone visits such an infected site they get infected; if they have FTP credentials for a website on their machine then those sites get infected too. This explains the exponential growth of the exploit in such a short space of time.

Gumblar is a computer virus that first appeared in 2009. It has been identified as one of the most malicious viruses in existence.[citation needed] It is characterized by re-directing user’s Google searches and is suspecting to come from Adobe Flash and PDF files. (Wikipedia)

What makes it different from other Malware exploits?
There are a number of aspects to this exploit that not just help it spread, but also make it difficult to remove. Firstly, it infects users browsing legitimate websites; if these users are webmasters then it infects their websites by using their FTP credentials to inject the script into their site. The obfuscated malicious code being dynamically generated, makes it difficult to detect and difficult to automatically remove. Not only does the script vary from site to site, it can also vary from page to page on that the one site.

CNET published an article for more detailed, check out the following news article.

What steps you should be taken?

  • It is a good practise to reset ypur FTP password change them often.

  • Regards,

    MERCUMAYA.NET A Division Of NETLYNX Solutions.


    What is Sabily ?
    Sabily is an operating system, like MS Windows or Mac OS X. Without an operating system, a computer is unusable, and Windows is not the only OS available! (though you often don’t have the choice, that’s why we are working hard to fix the bug number one)

    I already have Windows, why would I use Sabily ?
    Because Sabily is free, already includes all software you need in your everyday tasks, and is customized specifically for Muslims. And even if you didn’t buy Windows, you should not use pirated copies because then you are still supporting Microsoft by adding to the impression it’s the only OS available.

    It should be a tremendous work to develop an operating system?
    Actually we don’t start from scratch, we use the Ubuntu operating system as a groundwork. Ubuntu is a GNU/Linux distribution whose goal is to provide an easy-to-use, up-to-date, stable and free system, also for companies. Sabily customizes Ubuntu by removing, modifying and adding software, and also customizes the graphic design to make a system adapted to Muslims.

    Is there a company like Microsoft which develops Sabily?
    No there isn’t, just a communauty of voluntaries coming from all over the world (France, Tunisia, Egypt, Indonesia etc.). You can as well participate, as a developer, a graphic designer, a tester or if you just want to share your ideas.

    What are the main features of Sabily?
    The main software are: Zekr and Mus-haf Othman (Quran study tools), Minbar and Firefox-praytimes (prayer times applications), Monajat (application that popups prayers every predetermined time), Hijra (islamic calendar) and WebStrict (parental control tool). Arabic language is also well supported. And of course the graphic design is also customized (see screenshots).

    What other software are included in Sabily?
    OpenOffice (word processor, spreasheet, presentation), Firefox (web browser), Pidgin (instant messaging), F-spot (photos management), Gimp (image manipulation program) and other multimedia software (video/audio). All of this in included in the “small” version of Sabily, but the “full” version contains dozens of other software! (educational software, tools and entire Quran recitations, see the full list here)

    Sabily seems very interesting, what should I do to use it?
    You have to download the ISO file and to burn it on a DVD, then to start your computer from the DVD. You will have the choice to test or to install the system. In a first time we advise you to test it because it is safe for your computer, nothing will be written on your hard disk. You can even test Sabily directly from Windows, by using a Virtual Box image.


    About Linux


    Linux is an operating system that was initially created as a hobby by a young student, Linus Torvalds, at the University of Helsinki in Finland. Linus had an interest in Minix, a small UNIX system, and decided to develop a system that exceeded the Minix standards. He began his work in 1991 when he released version 0.02 and worked steadily until 1994 when version 1.0 of the Linux Kernel was released. The kernel, at the heart of all Linux systems, is developed and released under the GNU General Public License and its source code is freely available to everyone. It is this kernel that forms the base around which a Linux operating system is developed. There are now literally hundreds of companies and organizations and an equal number of individuals that have released their own versions of operating systems based on the Linux kernel. More information on the kernel can be found at our sister site, LinuxHQ and at the official Linux Kernel Archives. The current full-featured version is 2.6 (released December 2003) and development continues.

    Apart from the fact that it’s freely distributed, Linux’s functionality, adaptability and robustness, has made it the main alternative for proprietary Unix and Microsoft operating systems. IBM, Hewlett-Packard and other giants of the computing world have embraced Linux and support its ongoing development. Well into its second decade of existence, Linux has been adopted worldwide primarily as a server platform. Its use as a home and office desktop operating system is also on the rise. The operating system can also be incorporated directly into microchips in a process called “embedding” and is increasingly being used this way in appliances and devices.

    Throughout most of the 1990’s, tech pundits, largely unaware of Linux’s potential, dismissed it as a computer hobbyist project, unsuitable for the general public’s computing needs. Through the efforts of developers of desktop management systems such as KDE and GNOME, office suite project and the Mozilla web browser project, to name only a few, there are now a wide range of applications that run on Linux and it can be used by anyone regardless of his/her knowledge of computers. Those curious to see the capabilities of Linux can download a live CD version called Knoppix . It comes with everything you might need to carry out day-to-day tasks on the computer and it needs no installation. It will run from a CD in a computer capable of booting from the CD drive. Those choosing to continue using Linux can find a variety of versions or “distributions” of Linux that are easy to install, configure and use. Information on these products is available in our distribution section and can be found by selecting the mainstream/general public category.

    Additional Information

    If you’re interested in learning about Linux, need help with some aspect of its use or are enthusiastic about it and want to help foster its adoption, you may want to get in touch with a Linux User Group in your area. There are groups in practically every country, region and city in the world, so there is likely to be one near you.

    Each day, Linux use is increasing in every sector of our society. We have information about Linux deployments in government, industry and the arts.

    Linux has an official mascot, Tux, the Linux penguin, which was selected by Linus Torvalds to represent the image he associates with the operating system. Tux was created by Larry Ewing and Larry has generously given it to the community to be freely used to promote Linux. More information on use of the image can be found on his webpage. More links to variations on the image and alternative logos can be found on our logo page

    Many people are not sure of the pronunciation of the word Linux. Although many variations of the word exist, often due to native language factors, it is normally pronounced with a short ” i ” and with the first syllable stressed, as in LIH-nucks. You can hear how Linux creator Linus Torvalds pronounces the word in Swedish and in English .

    source :

    Journey to Paka

    I just arrive in Paka for the 3P program in Politeknik Sultan Mizan Zainal Abidin (PSMZA). On the way to Rumbia Resort, I saw the Oil Plant, very beautiful in the night with the lighting and fire burning. I took few pictures but the quality not so good and planing to took the picture again next time coming back to Shah Alam

    3P At UMS Labuan

    I just went back from Universiti Malaysia Sabah (UMS) Labuan. Working with Prestariang System Sdn Bhd for the 3P project over there as Project Executive. Very nice view from my office and love the sea and lots of sea food over there. Almost a month stayed over there and have many new expriences.