If a system is designed to serve different users, then a specific identification scheme should be used for every user to ensure authenticated access to the system. Username and a secret key for that user can identify and authenticate the user uniquely. In different type of attacks, like SQL injection attack (SQLIA), an attacker violates the authentication system and get access to the database by sneaking through unauthorized channels.
In SQL injection attack, an unauthorized user uses the text input form of web application to add a small portion of malicious code which will execute in the backend database server. The additional code modifies the existing backend SQL query code in such a way that the attacker get additional information …show more content…
Main advantage of combining the username-password and password-salt is if two usernames or two passwords has same value, the hash will not be the same. Because, if two same usernames have different password values or two same passwords have different usernames, the combined hash will be always different for each of the cases. By adding salt to the password field, lookup table, reverse lookup table and rainbow tables will be ineffective.
We used the following statement to find the user from the table:
$result= SELECT * FROM usertable WHERE combinedHash= ‘combined_hash’ AND salt = ‘salt’ AND password_hash = ‘password_hash’;
When this query ran successfully and it returned only one result, then a successful login message was displayed to the user. After successful login, the privileges those were revoked from the user can be granted again. But, before granting, we need to be very careful about the privileges and we allow only those, which are actually needed to interact with the web application.
This model was tested for several known attacks and the system rejected all the attacks we tried. Following table shows some of the attack