Copyright © 2018Authors. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. International Journal of Engineering & Technology, 7 (2.6) (2018) 213-216 International Journal of Engineering & Technology Website: www.sciencepubco.com/index.php/IJET Research Paper Proposed Method for SQL Injection Detection and its Prevention Ashish Kumar 1 *, Sumitra Binu 2 1 Department of Computer Science, Christ University, Bangalore, India 2 Department of Computer Science, Christ University, Bangalore, India *Corresponding author E-mail: ashishalbert9@gmail.com Abstract SQL injection attack is a commonly used method to attack the database server. Injection attacks enable the attacker to bypass the valida- tion and authorization mechanisms used by database server and gain access to the database. The easiest way to launch this attack is by exploiting the loopholes in the validation of user inputs provided through login pages. Each login page that a user visits can contribute towards revealing the identity of the user. Feedbacks given by the server while executing an SQL code can reveal information regarding the vulnerabilities in the validation process of the database server. This information can be misused by the attacker to launch an SQL injection attack. This paper discusses a technique for identifying and preventing SQL injection attack using tokenization concept. The paper discusses a function which verifies the user queries for the presence of various predefined tokens and thereby preventing the access to web pages in cases where the user query includes any of the defined tokens. Keywords: SQL, SQL Injection attacks, SQL Injection Vulnerability, Tokenization. 1. Introduction The SQL injection, is a type of database threat which is used to penetrate website and get access into the database. SQL Injection Attacks (SQLIA) are launched to gain access to databases contain- ing sensitive data, by penetrating websites with security loopholes. This is a critical attack which can bypass many security layers like encryption & firewall and is launched by exploits the vulnerabili- ties in input validation. This attack can easily bypass the database components. SQL injection is a simple attack that can be launched without much effort by logging in via web pages that does not provided proper validation of user inputs. As part of the login and authentication process, the user gives his/her username and secret information such as password for verification. The provided user inputs are translated into an SQL statement by the web application and attack of SQL injection is carried out by SQL statements which can bypass the validation procedure [1]. SQL is a query based scripting language which will allow the users to access the database and SQL injection attack may provide unauthorized access to the database server. In this attacks which involves client's input is dealt with as SQL code. The means of an SQL can enable client to access database through PHP or PERL, by providing fundamentalqueries. If the provided knowledge giv- en by the user, sent right to the database and which is not properly tested and verified, then the vulnerability can be misused by the client by inserting malicious SQL code. The attackers can directly execute and run SQL queries to the database which may lead to exploitation of the data, for example it may execute change or delete query which carried forward to irrecoverable and inaccessi- ble of the data. In more critical condition the remote code can be executed and the data which is stored in the database can be ac- cessed by the attackers. Though, the system admins are less prior to know about the at- tacks of a user because Application Program Interface (API) can be utilized by the attacker, which help them to execute the unde- sirable query. This case represents the vulnerability situation which cause serious threats on web platform, it processes the user SQL queries which are used to retrieve information from a data- base. A vast majority of the web applications are susceptible to vulnerabilities in validation of user inputs and hence are defense- less against SQL injection. SQLIA is moderately simple to per- form and hard to prevent. Fig 1. SQL injection Schema The user inputs are utilized for making SQL query which is ex- changed with the database. If the entered values are found as ex- pected the user’s access is allowed otherwise access will be denied [1]. The attacks of SQL injection attacks are in many forms which includes Error-based Injection, Tautology based Injection, Union- based Injection and Blind SQL injection. As shown in Fig 1 in tautology based attack user gets unauthorized access into the data- base by including a tautology that always evaluates to true in the query. In the example illustrated in Fig. 1, users get unauthorized access to the system as the tautology 1 = 1 is always true, hence if