Analisis Efektivitas Parameterized Queries dalam Pencegahan Serangan SQL Injection
DOI:
https://doi.org/10.33795/jip.v12i1.8977Abstract
Kerentanan SQL injection masih menjadi ancaman serius dalam pengembangan aplikasi web dengan tingkat prevalensi mencapai 23% dari seluruh kerentanan kritis aplikasi web di tahun 2024. Penelitian ini bertujuan menganalisis efektivitas implementasi parameterized queries sebagai mekanisme pencegahan serangan SQL injection pada sistem autentikasi berbasis PHP. Metodologi penelitian menggunakan pendekatan eksperimental dengan membandingkan dua implementasi sistem login: versi rentan yang menggunakan string concatenation dan versi aman yang menerapkan prepared statements melalui PHP Data Objects (PDO). Pengujian dilakukan menggunakan 15 payload SQL injection yang berbeda untuk mengevaluasi tingkat keberhasilan bypass pada masing-masing implementasi. Hasil penelitian menunjukkan bahwa implementasi parameterized queries berhasil mencegah 100% serangan SQL injection yang diuji, sementara implementasi rentan mengalami tingkat keberhasilan bypass sebesar 93.3%. Analisis performa menunjukkan bahwa parameterized queries memberikan peningkatan kecepatan eksekusi sebesar 23% untuk operasi berulang dibandingkan dengan string concatenation. Temuan ini membuktikan bahwa penerapan parameterized queries tidak hanya memberikan jaminan keamanan maksimal tetapi juga mengoptimalkan performa aplikasi web.
Downloads
References
Alarfaj, F. K., & Khan, N. A. (2023). Enhancing the performance of SQL injection attack detection through probabilistic neural networks. Applied Sciences, 13(7), 4365. https://doi.org/10.3390/app13074365
Alghamdi, A., & Hussain, F. (2019). Comparative study on SQL injection detection and prevention techniques. Journal of Information Security and Applications, 47, 302–313. https://doi.org/10.1016/j.jisa.2019.05.004
Alghawazi, M., Alghazzawi, D., & Alarifi, S. (2022). Detection of SQL injection attack using machine learning techniques: A systematic literature review. Journal of Cybersecurity and Privacy, 2(4), 764–777. https://doi.org/10.3390/jcp2040039
Alhaidari, F., & Jhanjhi, N. Z. (2020). SQL injection attacks and prevention techniques: A survey. International Journal of Advanced Computer Science and Applications, 11(12), 123–130. https://doi.org/10.14569/IJACSA.2020.0111221
Appiah, M., Xu, Q., & Li, J. (2022). SQL injection attack detection and prevention using deep learning techniques: A systematic review. IEEE Access, 10, 45567–45583. https://doi.org/10.1109/ACCESS.2022.3162345
Delbare, W. (2024, February 21). The cure for security alert fatigue syndrome. Aikido. https://jp.aikido.dev/blog/the-cure-for-security-alert-fatigue-syndrome
Edgescan. (2023). 2023 vulnerability statistics report. https://www.edgescan.com/vulnerability-stats-report/
Ghosh, A., Diyasi, S., & Chatterjee, S. (2024). Enhancing SQL injection prevention: Advanced machine learning and LSTM-based techniques. International Journal of Scientific Research in Science, Technology and Engineering, 78(1), 20–31. https://doi.org/10.32628/IJSRST241161101
Hallo, M., & Suntaxi, G. (2022). A survey on SQL injection attacks, detection and prevention techniques – A tertiary study. International Journal of Security and Networks, 17(3), 193–202. https://doi.org/10.1504/IJSN.2022.125514
Halfond, W. G., & Viegas, J. (2019). A classification of SQL injection attacks and countermeasures. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE.
IBM Security. (2024). Cost of a data breach report 2024. https://www.ibm.com/reports/data-breach
Khan, M. A., Alghazzawi, D. M., & Khan, S. (2023). Preventing SQL injection in web applications: A hybrid machine learning approach. Journal of Information Security and Applications, 75, 103541. https://doi.org/10.1016/j.jisa.2023.103541
Mustapha, A. A., Udeh, A. S., Ashi, T. A., Sobowale, O. S., Akinwande, M. J., & Oteniara, A. O. (2024). Comprehensive review of machine learning models for SQL injection detection in e-commerce. World Journal of Advanced Research and Reviews, 23(1), 451–465. https://doi.org/10.30574/wjarr.2024.23.1.2004
Okesola, J. O., Ogunbanwo, A. S., Owoade, A. A., Olorunnisola, E. O., & Okokpuji, K. (2023). Securing web applications against SQL injection attacks – A parameterised query perspective. In Proceedings of the 2023 International Conference on Science, Engineering and Business for Sustainable Development Goals (SEB-SDG). IEEE. https://doi.org/10.1109/SEB-SDG57117.2023.10124613
Open Web Application Security Project. (2021). OWASP Top 10 – 2021. https://owasp.org/Top10/
PHP Foundation. (n.d.). Prepared statements and stored procedures. PHP Manual. https://www.php.net/manual/en/pdo.prepared-statements.php
Sidik, R. F., Yutia, S. N., & Fathiyana, R. Z. (2023). The effectiveness of parameterized queries in preventing SQL injection attacks at Go. In Proceedings of the International Conference on Enterprise and Industrial Systems (ICOEINS 2023) (pp. 204–216). Atlantis Press. https://doi.org/10.2991/978-94-6463-340-5_18
W3Techs. (2024). Usage statistics of server-side programming languages for websites. https://w3techs.com/technologies/overview/programming_language
