Abstract

Existing System SQL Injection attacks pose tremendous risks to web applications that depend upon a database backend to generate dynamic content. In this type of attack, hackers manipulate a web application in an attempt to inject their own SQL commands into those issued by the database. For an example, see the article SQL Injection Attacks on Databases. In this article, we take a look at several ways you can test your web applications to determine whether they're vulnerable to SQL Injection attacks. SQL injection vulnerability can occur when a poorly-written program uses user-provided data in a database query without first validating the input. This is most-often found within web pages with dynamic content. There are some excellent tutorials and descriptive articles on this subject, as well as many vulnerability postings for different applications from fulldisclosure websites. A simple example of SQL injection is a basic HTML form login in which you provide a username and password: <form method="post" action="process_login.php"> <input type="text" name="username"> <input type="password" name="password"> </form> Given this snippet of HTML, one can deduce that the easiest (and worst) way for the script process_login.php to work would be for it to build and execute a database query that looks like this: "SELECT id FROM logins WHERE uname = '$username' and upass = '$password'"; Under those circumstances, if the variables $username and $password are taken directly from the users input, the login script can easily be tricked into believing that a valid password has been provided by playing with the syntax of the SQL statement. Suppose the following string were provided as the password: ' or '' = ' and we gave bob as the username. Once the variables are interpolated, the query above would look like this: "SELECT id FROM logins WHERE uname = 'bob' and password = '' or '' = ''"; This query will return a row because the final clause: ... or '' = '' will always evaluate to true (an empty string is always equal to an empty string).

Proposed System The most common methods to prevent this kind of SQL injection vulnerability are to check the users input for dangerous characters like single-quotes; and using prepared statements, which tell the database exactly what to expect before any user-provided data is passed to it. Incorrectly filtered escape characters This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement. These results in the potential manipulation of the statements performed on the database by the end-user of the application. The following line of code illustrates this vulnerability statement = "SELECT * FROM `users` WHERE `name` = '" + userName + "';" This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable as ' or '1'='1 Or using comments to even block the rest of the query (there are three types of SQL comments) ' or '1'='1' -- ' ' or '1'='1' ({ ' ' or '1'='1' /* ' renders one of the following SQL statements by the parent language: SELECT * FROM `users` WHERE `name` = '' OR '1'='1'; SELECT * FROM `users` WHERE `name` = '' OR '1'='1' -- '; If this code were to be used in an authentication procedure then this example could be used to force the selection of a valid username because the evaluation of '1'='1' is always true. The following value of "userName" in the statement below would cause the deletion of the "users" table as well as the selection of all data from the "userinfo" table (in essence revealing the information of every user), using an API that allows multiple statements: a';DROP TABLE `users`; SELECT * FROM `userinfo` WHERE 't' = 't This input renders the final SQL statement as follows:

SELECT * FROM `users` WHERE `name` = 'a';DROP TABLE `users`; SELECT * FROM `userinfo` WHERE 't' = 't'; While most SQL server implementations allow multiple statements to be executed with one call in this way, some SQL APIs such as PHP's mysql_query(); function do not allow this for security reasons. This prevents attackers from injecting entirely separate queries, but doesn't stop them from modifying queries. Incorrect type handling This form of SQL injection occurs when a user supplied field is not strongly typed or is not checked for type constraints. This could take place when a numeric field is to be used in a SQL statement, but the programmer makes no checks to validate that the user supplied input is numeric. For example: statement := "SELECT * FROM `userinfo` WHERE `id` = " + a_variable + ";" It is clear from this statement that the author intended a_variable to be a number correlating to the "id" field. However, if it is in fact a string then the end-user may manipulate the statement as they choose, thereby bypassing the need for escape characters. For example, setting a_variable to 1;DROP TABLE `users` will drop (delete) the "users" table from the database, since the SQL would be rendered as follows: SELECT * FROM `userinfo` WHERE `id`=1;DROP TABLE `users`; Escaping A straightforward, though error-prone, way to prevent injections is to escape characters that have a special meaning in SQL. This technique is called HTML sanitization The manual for an SQL DBMS explains which characters have a special meaning, which allows creating a comprehensive blacklist of characters that need translation. For instance, every occurrence of a single quote (') in a parameter must be replaced by two single quotes ('') to form a valid SQL string literal. For example, in PHP it is usual to escape parameters using the function mysql_real_escape_string(); before sending the SQL query: $query = sprintf("SELECT * FROM `Users` WHERE UserName='%s' AND Password='%s'",

mysql_real_escape_string($Username), mysql_real_escape_string($Password)); mysql_query($query); Routinely passing escaped strings to SQL is error prone because it is easy to forget to escape a given string. Creating a transparent layer to secure the input can reduce this errorproneness, if not entirely eliminate it. The xkcd comic "Exploits of a Mom" concerns a student whose mother named him "Robert'); DROP TABLE Students;--", nicknamed "Little Bobby Tables". When his name is entered into a school database, it destroys the student records. Due to this comic, the term "Little Bobby Tables attack" has become identified with SQL injection attacks. SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Feasibility Study i. ii. iii. Technical Feasibility Economical Feasibility Operational Feasibility

A feasibility study is a high-level capsule version of the entire System analysis and Design Process. The study begins by classifying the problem definition. Feasibility is to determine if its worth doing. Once an acceptance problem definition has been generated, the analyst develops a logical model of the system. A search for alternatives is analyzed carefully. There are 3 parts in feasibility study. Technical Feasibility: Evaluating the technical feasibility is the trickiest part of a feasibility study. This is because, at this point in time, not too many detailed design of the system, making it difficult to access issues like performance, costs on (on account of the kind of technology to be deployed) etc. A number of issues have to be considered while doing a technical analysis. Understand the different technologies involved in the proposed system before commencing the project we have to be very clear about what are the technologies that are to be required for the development of the new system. Find out whether the organization currently possesses the required technologies. Is the required technology available with the organization. Operational Feasibility: Proposed project is beneficial only if it can be turned into information systems that will meet the organizations operating requirements. Simply stated, this test of feasibility asks if the system will work when it is developed and installed. Are there major barriers to Implementation? Here are questions that will help test the operational feasibility of a project: Is there sufficient support for the project from management from users? If the current system is well liked and used to the extent that persons will not be able to see reasons for change, there may be resistance. Are the current business methods acceptable to the user? If they are not, Users may welcome a change that will bring about a more operational and useful systems. Have the user been involved in the planning and development of the project?

Early involvement reduces the chances of resistance to the system and in general and increases the likelihood of successful project. Since the proposed system was to help reduce the hardships encountered. In the existing manual system, the new system was considered to be operational feasible. Economic Feasibility: Economic feasibility attempts 2 weigh the costs of developing and implementing a new system, against the benefits that would accrue from having the new system in place. This feasibility study gives the top management the economic justification for the new system. A simple economic analysis which gives the actual comparison of costs and benefits are much more meaningful in this case. In addition, this proves to be a useful point of reference to compare actual costs as the project progresses. There could be various types of intangible benefits on account of automation. These could include increased customer satisfaction, improvement in product quality better decision making timeliness of information, expediting activities, improved accuracy of operations, better documentation and record keeping, faster retrieval of information, better employee morale.

Requirement Analysis

Design Diagrams

Screen Shots