Mitigation of SQL Injection Attacks in an Information Technology Project in a WEB Environment
Keywords:
Cybersecurity, SQL Injection, Information Security, WEB Systems, MSSQLAbstract
Companies are increasingly using computer systems in a WEB environment, causing the possibility of various types of attacks, with SQL Injection. This type of attack consists of sending malicious code into certain system objects and, in this way, obtaining access and privileged information. Given this context, the research presented a suggestion to mitigate SQL Injection attacks in an Information Technology project in a WEB Environment. The article has a qualitative nature and used the Design Science Research methodology. The results were a structure of a class that handles the data received, the recommendation to use the parameters() method when creating the calls and the use of Stored Procedures in operations with the DBMS. The contribution to the theory was to present a suggestion of mitigation of attacks and that need further studies. The contribution to the practice is that programmers, analysts and IT managers can benefit from the recommendations of this research
References
Barcelos, A. K., Souza, C. L. S. de, Carmo, J. P. M. do, Faria, M. C., Alcântara, M., & Camargos, P. A. D. (2021). Lei Geral de Proteção de Dados e o Papel do DPO. Revista Projetos Extensionistas, 1(2), 87–92.
Botelho, M. C., & Camargo, E. P. do A. (2021). O TRATAMENTO DE DADOS PESSOAIS PELO PODER PÚBLICO NA LGPD. Revista Direitos Sociais e Políticas Públicas (UNIFAFIBE), 9(3), 549–580.
Diana, A., Tojeiro, C., Cardoso, T. M., Lucas, T. J., & Moraes, E. A. (2016). COMPUTAÇÃO EM NUVEM - DISPONIBILIDADE: PESQUISA APLICADA NA FACULDADE DE TECNOLOGIA DE OURINHOS. RETEC - Ourinhos, 9(2), 75–79.
Fernandes, N. O. C. (2013). Segurança da Informação. e-TEC. https://www.fatecourinhos.edu.br/retec/index.php/retec/article/view/214
Grassi, P. A., Garcia, M. E., & Fenton, J. L. (2017). Digital Identity Guidelines (p. 1–104). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-63-3
Hintzbergen, J., Hintzbergen, K., Smulders, A., & Baars, H. (2018). Fundamentos de Segurança da Informação: Com base na ISO 27001 e na ISO 27002. (3o ed). Brasport.
ISO. (2013). International Standard Organization—ISO/IEC 27001. Em ISO. International Standard Organization. https://www.iso.org/standard/54534.html
Kotler, P. (2021). Marketing para o século XXI: como criar, conquistar e dominar mercados. Alta Books.
Kotler, P., Kartajaya, H., & Setiawan, I. (2016). Marketing 4.0: Moving from traditional to digital. John Wiley & Sons.
Kotler, P., Kartajaya, H., & Setiawan, I. (2021). Marketing 5.0: Tecnologia para a humanidade. Sextante.
Macoratti, J. C. (2008). Previna-se contra a Injeção SQL. https://www.macoratti.net/sql_inj.htm
Microsoft. (2022a). ASP.NET. https://dotnet.microsoft.com/en-us/apps/aspnet
Microsoft. (2022b). Documentação do C#. https://docs.microsoft.com/pt-br/dotnet/csharp/
Microsoft. (2022c). Estilo de arquitetura de N camadas. https://learn.microsoft.com/pt-br/azure/architecture/guide/architecture-styles/n-tier
Microsoft. (2022d). SqlParameter Construtores. https://learn.microsoft.com/pt-br/dotnet/api/system.data.sqlclient.sqlparameter.-ctor?view=dotnet-plat-ext-6.0
Microsoft. (2022e, setembro 26). Injeção de SQL. Injeção de SQL. https://learn.microsoft.com/pt-br/sql/relational-databases/security/sql-injection?view=sql-server-ver16
Microsoft. (2022f, outubro 12). Microsoft Lean—Install SQL Server from the Installation Wizard (Setup). https://learn.microsoft.com/en-us/sql/database-engine/install-windows/install-sql-server-from-the-installation-wizard-setup?view=sql-server-ver16
Nunamaker Júnior, J. F., Chen, M., & Purdin, T. D. M. (1990). Systems development in information systems research. Journal of management information systems, 7(3), 89–106.
OMG. (2015). OMG Unified Modeling Language TM (OMG UML). https://www.omg.org/spec/UML/About-UML/
Pressman, R., & Maxim, B. (2016). Engenharia de Software Uma Abordagem Profissional (8o ed). McGraw Hill Brasil.
Raes, A. (2022). Procon/MS autua Leroy Merlin, Privália, James e Centauro por infração a LGPD. Procon MS. https://www.procon.ms.gov.br/procon-ms-autua-leroy-merlin-privalia-james-e-centauro-por-infracao-a-lgpd/
Sadeghian, A., Zamani, M., & Manaf, A. Abd. (2013). A Taxonomy of SQL Injection Detection and Prevention Techniques. 2013 International Conference on Informatics and Creative Multimedia, 53–56. https://doi.org/10.1109/ICICM.2013.18
Shar, L. K., & Tan, H. B. K. (2013). Defeating SQL Injection. Computer, 46(3), 69–77. https://doi.org/10.1109/MC.2012.283
Sommerville, I. (2015). Software Engineering (10o ed). Pearson.
Theophilo, C. R., & Martins, G. de A. (2016). Metodologia Da Investigação Cientifica (3a). Atlas.
Tipton, S. J., Forkey, S., & Choi, Y. B. (2016). Toward Proper Authentication Methods in Electronic Medical Record Access Compliant to HIPAA and C.I.A. Triangle. Journal of Medical Systems, 40(4), 100. https://doi.org/10.1007/s10916-016-0465-x
