A Role-Based Access Control Approach for SQL Injection Attacks

摘要

With the popular use of web applications, security issues cause more and more attentions in computer society. The SQL injection attack is one of the main security concerns for database driven web applications, which uses crafted malicious SQL segments to compromise the back end databases. One reason of the vulnerability is the design issue that how those applications utilize databases. Many of the existing applications used SQL queries to perform user authentication. This paper proposes a different approach that uses role-based access control at database management system level. By pushing down the role base access control to the database management system level, it aims at minimizing SQL injection attacks and costing less effort from application programmers. We use a typical employee application as an example to illustrate our approach. Design details and evaluations are presented in this paper.