Abstract
Web applications accept user input via forms in web pages. This input is posted to the server as name-value pairs, both of which are strings. SQL injection attack targets interactive web applications that employ database services. Such applications accept user input, such as form fields, and then include this input in database requests, typically SQL statements. In SQL injection, the attacker provides user input that results in a different database request than was intended by the application programmer. Interpretation of the user input as part of a larger SQL statement, results in an SQL statement of a different form than originally intended. We describe a technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities. The technique is based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input.
Our method aims to satisfy the following three criteria:
- Eliminate the possibility of the attack;
- Minimize the effort required by the programmer;
- Minimize the runtime overhead.
Existing System
Current web apps build SQL by concatenating user input into query strings. Defenses mostly use escaping, blacklists, or prepared statements inconsistently. Many codebases still perform manual string assembly for dynamic queries. Text-level filters and WAFs often miss structural manipulations or cause false positives. Static scanners find some issues but cannot observe runtime-generated SQL shapes.
As a result, attackers can craft inputs that change query structure and bypass filters. There is little automatic structural verification of the final SQL before execution.
Proposed System
Instead of only sanitizing input text, the system ensures the structure of the SQL query stays the same before and after user input is introduced. The application constructs a safe SQL template (with placeholders), parses that template to obtain a canonical parse tree, then — at runtime — replaces placeholders with actual user input and reparses the final SQL. If the parse tree structure differs in ways that indicate syntactic/semantic modification (extra clauses, altered operators, changed node types), the system blocks the query and raises an alert.
Advantages
-
Structural guarantees: Attackers cannot change SQL structure without detection.
-
Developer-friendly: Minimal changes — use template API instead of raw concatenation.
-
Transparent protection: Works even when escaping is forgotten.
-
Actionable alerts: Detailed logs show where and how the parse-tree changed.
Hardware Requirements
- Processor: Intel Core 2 Duo
- Clock Speed: 2.2 GHz
- RAM: 2 GB DDR
- Storage: 16 GB HDD
Software Requirements
- Operating System : Windows 10 (or above)
- Platform: .NET (Visual Studio 2022)
- Framework: .NET Framework 4.0
- Database: SQL Server 2017
Project Modules
- Random Injection Module
- Random Injection Prevention Module
- Partial Check – Custom Define Check Module
- Parse Tree Validation – SQL Compiler Module
Components of Project Report
- Abstract
- Table of Contents
- List of Tables
- List of Figures
- Chapters
- Introduction
- Literature review
- Problem definition and requirement analysis
- Design and Implementation
- Testing and deployment
- Future enhancements
- Summary
- References
Project Report Pages : 80
Can be used in : Dotnet
Delivery Time : Within 2 hours.
Support / Query : Call +91-7449000533
Email [email protected]