Socrates The Symposium and Its Serious Purpose Essay Example for Free

Socrates The Symposium and Its Serious Purpose Essay Socrates (469-399 B.C.E.)was a Greek philosopher.   Plato (ca. 429-347 B.C.E.)was the student of Socrates.   According to David H. Richter, because Plato mistrusted writing, he did not set down his philosophy in the usual form of a set of treatises but rather in dialogues (18).   The Symposium comes from a dialogue of Socrates ideas transcribed by Plato, because Socrates never wrote anything himself. Whether or not Plato kept his own ideas out of Socrates is the subject of debate:   . . . at times we may wonder whether Socrates is being serious or ironic, at other times whether he always speaks directly for Plato (Richter 18).   Be that as it may, The Symposium discusses the nature of love, and although it is written in a comic tone, nonetheless it also strives to explore love in a serious manner as bound in morality in the structured forms of drama, rhetoric and dialect.   Ã‚  Ã‚  Ã‚   The Symposium takes the form of several speeches by guests at a symposium, or drinking party, at the house of Agathon.   Each of the seven party guests, and their respective speeches, represent a different aspect of love.   Phaedrus takes a literary approach to the topic of love, while Pausanias a legal perspective.   Eryximachus brings a doctors view to the topic, and Aristophanes, as a comic poet, sticks with a humorous take on the subject.   Agathon uses a self-conscious poetic outlook, whereas Socrates puts a religious spin on love.   Finally, Alcibiades talks about his relationship, whether erotic or not, to Socrates.   If love is a part of or even the basis of morality, then it is not surprising that Socrates and Plato were interested in coming up with a clear idea of what love was, because according to D. Brendan Nagle, Socrates and Plato, came to the defense of the beleaguered city-state and tried to find a new and irrefutable moral basis for it (162).   Socrates was looking for a basis for morality, and certainly he thought at least a part of it was bound up in the idea of love.   C. M. Bowra, in Classical Greece, says that Socrates was the first exponent in Greece of a morality based on the demands of individual conscience rather than the demands of the state (137). This work explores this idea of love bound in morality.   Socrates, at a time before the drinking party, speaks to Diotima, who tells him a story about love.   She brings together the ideas of love and eternality, or what we might today call a true and undying love.   She relates how some men were willing to die for the sake of their name being bound to a good reputation even after their death.   She gives the example that Achilles would not have avenged Patroclus was it not for the memory of their virtues, which still survives among us, would be immortal? (The Symposium).   Ã‚  Ã‚  Ã‚   Plato uses the dramatic form as one type of structure for The Symposium (Platos Symposium).   There is an introduction, the body of the play, and an afterward.   The drama is built around the verbal antics of three pairs of speakers with differing points of view.   Phaedrus is a social climber and wants to get in good with the poets.   He is a rival to Pausanias for Agathons attention.   Pausanias, however, is Agathons current lover, so the plot thickens comedically in this first episode. The next scene takes place between Eryximachus, the physician who is bombastic and Aristophanes, the comic dramatist who was known for bringing down people with big egos.   The final portion is a debate between Agathon and Socrates.   Plato draws a verbal picture of Agathon as a flamboyant self-centered character, whereas Socrates comes across as simple and unfashionable.   These pairings help produce the comedy and satire of the piece.   Ã‚  Ã‚  Ã‚   The rhetoric of this piece can also be used as a form for the discussion of love in which these characters partake.   Some of the characters deliver their speeches in an exaggerated manner, such as Eryximachus and Agathon.   Others, like Socrates and Aristophanes, use a plain style.   By the end of the piece Alcibiades, the last speaker, explains in summary that inner beauty is more attractive than outer charm.   Ã‚  Ã‚  Ã‚   Another way to understand The Symposium is as an example of the Socratic method itself.   It starts with basic ideas about love, and gradually it grows to deeper understanding based on a question and answer format made famous by Socrates.   Phaedrus begins with the idea that love elevates the lover, but Pausanias counters that love can have a religious context or a secular one. The doctor gives a medical explanation for love, claiming that love will bring peace to the mind, whereas Aristophanes thinks that love is more self-centered, because the lover is looking for self-actualization through the means of love. Socrates has the final summary through expressing the ideas of Diotima to the other party guests that love in its purest form wants eternally to be immortal and also wants the good and the beautiful to be the focus of its immortality.   Ã‚  Ã‚  Ã‚   Socrates used humor as well as structure provided by drama, rhetoric, and the Socratic method of question and answer to get his message concerning love across not only to the guests at the party, but eventually to the world.   This piece has been the foundation upon which Western cultures idea of love was based.   Although Socrates students loved him, the state, not surprisingly, did not for several reasons.   The city-state leaders did not like the idea that Socrates questioned the popular religions of the day. He believed his search for self-individualism was greater than the needs of the state.   The state of Athens thought Socrates, in his role as an educator, to be a corrupting force on the youth of the city, and they condemned him to death.   He died surrounded by his friends and talking to them, after he had drunk hemlock, the poison that would take his life.   Plato called Socrates,the wisest and most just and best man who ever lived, a saint and a martyr (Bowra 138).   Even after Socrates death, Plato wrote down the words that Socrates said, and this is why we can begin to understand his thoughts in The Symposium. Works Cited Bowra, C. M. et al.   Classical Greece.   Alexandria, VA:   Time-   Ã‚  Ã‚  Ã‚   Life Books, 1977. Nagle, D. Brendan.   The Ancient World:   A Social and Cultural   Ã‚  Ã‚  Ã‚   History.   2nd ed. Englewood Cliffs, NJ:   Prentice Hall,   Ã‚  Ã‚  Ã‚   1989. Plato.   Symposium.   http://etext.library.adelaide.edu.au/p/   Ã‚  Ã‚  Ã‚   plato/p71sy/symposium.html Platos Symposium.   http://condor.depaul.edu/~dsimpson/   Ã‚  Ã‚  Ã‚   tlove/symposium.html Richter, David H.   The Critical Tradition:   Classic Texts and   Ã‚  Ã‚  Ã‚   Contemporary Trends.   2nd ed.   Boston:   Bedford Books, 1998.

Standard Forms of Contracts in Construction Benefits

Standard Forms of Contracts in Construction Benefits The Importance of Using Standard Forms of Contracts in Construction Industry According to the 1996 Act of UK law construction contract has been defined as an agreement in writing or evidenced in writing, under which a party carries out construction operations, arrange for others to carry out construction operations or/and provide labor for carrying out of construction operations (Zaghloul Hartman, 2003). The contract forms establish the legal relationship between the parties, in terms of rights, obligation and duties and regulate the commercial relationship between the parties (Robinson Lavers, 1996). There are two main classifications of contracts, namely standard and non standard contracts (Murdoch Hughes, 2007). In the recent times, the commercial activities associated with the construction industry are highly complex and the standard forms of contracts have integrated into the day-to-day transactions of most agreements (Bunni, 1997). It is not compulsory to use standard contracts in the construction industry; however it has become the common practice in procuring contractors, consultants or architects. There have been numerous recommendations by authors and researchers to adopt standard forms of contracts in the construction business. According to Banwell Report (1964), the construction industry should formulate and use a single standard-form contract for its entire projects. The Latham Report (1990s) also supported the concept as recommended the Engineering and Construction Contract to be adopted as universal standard construction contracts. The use of standard form of contract for all type of construction projects is not realistic, but for similar type of project has been seen to be indee d is very beneficial (Murdoch Hughes, 2007). The purpose of standardising contract forms is mainly to specify the chief variables concerning the construction processes and activities (Clegg, 1992). For example, it so happens in most projects that actual work done by the contractor differs from as specified in the contract. And these alterations are a major source of many conflicts and disputes (Othman, 1997). In such cases, standard forms contain arrangements as to how to manage these variations. Standard forms of contract are mostly published by an authoritative body of the industry, recognised by all the parties involved, outlining the terms and conditions which sets the parameters for the proceeding of the work. In the correct spirit of standardization, these forms are not subjected to any negotiation and amendments and are suitable for wide array of similar projects and works. The initial set of standard forms was formulated by the government department of UK for works in the public sector. Inspired by their concept, many other professional bodies also devised their versions of standard forms (Bunni, 1997; Ismail, n.d.). Among various standard forms of construction contracts are ICE 7 (Institute of Civil Engineers), NEC 3 (New Engineering Contract), JCT (Joint Contract Tribunal), FIDIC (International Federation of Consulting Engineers), AIA (American Institute of Architects), EJDC (Engineers Joint Contracts Documents Committee), etc. (Murdoch Hughes, 2007). There are several advantages associated with the use of standard forms of construction contracts. Basically, standard forms originate from different sectors of construction industry for various reasons (Murdoch Hughes, 2007). They have been devised as an output of a process of negotiation between various sectors of the industry; hence, they represent a compromise between the interest groups of the industry (Murdoch Hughes, 2000). Also, as numbers of interest groups are involved and considered in the formulation of standard contracts, there is better possibility of fair and balanced risk allocation among the parties involved (Murdoch Hughes, 2007). The prime reason that inclines construction personnel to adopt standard form of contracts is familiarity. The major advantage of using a standard contractual form is that by repetitive use of the document one becomes familiar with its content, and hence is conscious of both its strengths and drawbacks (Broome Hayes, 1997). The contractual complexities associated with any type of contract are often rather typical to understand. The use of standard contractual documents aids in familiarising the various contractual clauses and provisions to the users (Murdoch Hughes, 2007). This familiarity with the content and clauses of the contract leads to lesser number of disputes and misunderstandings. The possibility of redundancy is also removed (Broome Hayes, 1997). In addition, the repetitive use of these forms leads to development of experience bank and result in increased efficiency (Bunni, 1997). Precedent is another important factor which generates from being similar with the contract and is favorable to the involved parties. In the scenario when a disputed project is taken to court, the standard contracts enable the lawyers to advice their clients regarding the probable result of the case, as judges are bound to follow the previous decisions (Broome Hayes, 1997). Standard forms of contracts have been reported and observed to assist the conduct of trade (Murdoch Hughes, 2000). Another factor which attracts personnel towards standard contracts is that it reduces the focus on specific contractual terms during the bargaining process (Murdoch Hughes, 2007). These forms are helpful in reducing the cost linked to tendering and contract administration. This is contrary to the amended forms of contracted which require the clients and tenderers to seek additional legal advice and the probability of the disputes resulting from unfamiliar terms also increase (OGC, n.d.). These forms lead to saving in time as drawing up of contracts from scratch is a tedious task (Ismail, n.d.). Standardisation of the contract forms provides basic legal frameworks which recognise the rights, obligations and duties of the parties and highlights the ambit of the powers and duties of the contract administrator (Nayagam Pathmavathy, 2005). Furthermore, standardisation of contracts leads to higher degree of certainty and fairness during tendering process. They become the basis of comparison and evaluation and familiarity with the content makes it convenient and faster in pricing as well (Bunni, 1997; Ismail, n.d.). As aforementioned, there are various institutions which have developed standard forms of contract. One of the most used and popular set of standard forms of contract have been developed by International Federation of Consulting Engineers (FIDIC). These forms have been in use for international construction projects ever since their formulation in 1957. The FIDIC contracts provide a comprehensive code which can be applied with ease in any legal system. The input has been provided from both engineers with experience of many engineering projects and lawyers with wide array of experience drafting construction contracts. The acquaintance with these contracts has offered the construction industry benefits in both tendering and project management. The contracts offer balanced and clearly defined risks between the contracting parties. FIDIC believes that it only a fair and balanced contract which is in the lasting best interest of all concerned. The contracts account for all possible and prob able risk factors as well as clearly define the role of all involved parties. These aspects of the contract facilitate in reducing the number of unwarranted disputes and litigations (Thomas, Glover Hughes, 2006; Wade, 2005). FIDIC and other similar standard forms of contract are favourable to the construction industry as they facilitate the saving of both time and cost two success criteria for any type of construction projects. With the exception of few entirely unique projects, construction projects often share their main characteristics and these standard forms are devised considering the same. Reference: Broome, J.C. Hayes, R.W., 1997, A comparison of the clarity of traditional construction contracts and of the New Engineering Contract, International Journal of Project Management, Vol. 15, No. 4, pp. 255-261 Clegg, R.S., 1992, Contracts cause conflicts, In Construction Conflict Management and Resolution, 25-27 September, UMIST, pp 128-144 Ismail, Z., n.d., Standard Forms of Construction Contracts, Lecture on Construction Law, available at: http://www.scribd.com/doc/10109497/Lect-2-Standard-Forms, accessed 11/02/2010 Nayagam, K. Pathmavathy, N., 2005, Drafting Construction Contracts, Legal Insight, Issue 2, page 5-7 Murdoch, H. Hughes, W., 2007, Construction Contracts, Edition 3, Routledge, pg 101-117 Murdoch, H. Hughes, W., 2000, Construction Contracts Law and Management, Edition 3, Spon Press Office of Government Commerce, n.d., Procurement and Contract Strategies, Achieving Excellence in Construction Procurement Guide, available at: http://www.ogc.gov.uk/documents/CP0066AEGuide6.pdf, accessed 10/02/2010 Othman, N., 1997, Management of variations in construction contracts, In A. Thorpe (ed.) Proceedingsofthe13th Annual Association of Researchers in Construction Management (ARCOM), 15-17 September, Kings College, Cambridge Robinson, N.M. Lavers, A.P. 1996, Construction Law in Singapore and Malaysia, 2nd Edition, Butterworths Thomas, C., Glover, J. Hughes, S., 2006, Understanding the new FIDIC red book: a clause-by-clause commentary, Sweet Maxwell Wade, C., 2005, The FIDIC Contract Forms and the New MDB Contract, International Construction Contracts and the Resolution of Disputes ICC-FIDIC Conference Paris 2005 Zaghloul, R. Hartman, F., 2003, Construction contract: the cost of mistrust, International Journal of Project Management, Vol. 21, pp 419-424

Alternative Medicines: Homeopathy, Acupuncture, Aromatherapy, Chiroprac

An ancient Chinese proverb proclaims, "Nature, time and patience are the three great doctors". Nowadays more and more people choose to be treated by methods that are not based on Western systematic techniques that are the knowledge and practice of medicine which is usual in the West. These methods are known as â€Å"Alternative medicine†, which consists of homeopathy, acupuncture, aromatherapy, chiropractic medicine and others. Chinese medicine is also gaining popularity among people. The alternative way of treatment has verified its efficiency and is methodically founded, but, unfortunately, has its little disadvantages and needs a scientific base. For that reason, the alternative medicine is not generally available in all countries, and people have to pay for their individual treatment. Whereas some people consider it an ambiguity and do not dare try it because they consider it might be quite dangerous or insecure, some others just think about it as nonsense and pay little o r no attention to it. People who feel anxious or doubtful of it claim that if non-traditional medicine had really worked, then appropriate doctors would have used it. Nevertheless, since the early 1980s, the alternative medicine has become increasingly popular, and although it is not officially accepted by the medical base, some doctors do accept that such methods can be effective in treating some types of illnesses. Moreover, usual medicine has its boundaries, since some illnesses are untreatable and some others which are caused by mental troubles cannot be cured by its methods (Kowalski, 1998). In distinction, an alternative way of treatment can be efficient in various circumstances and there is a common approval that its methods can be valuable and advant... ...http://elibrary.ru/item.asp?id=2749982 Epiro, E. & Walsh, N., (1997). â€Å"Alternative Medicine–Part Two: Mind Body Medicine–Expanding Health Model†. Patient Care 15 Sept. 1997: 127-145. Retrieved: February 13, 2011, from: http://www.oppap.com/subjects/health-and-medicine-of-the-middle-ages-page6.html Furman, B., (1997). â€Å"Trendy Traditional Medicine for a Modern Age.† San Diego Business Journal 10 Mar. 1997: A7-8. Retrieved: February 13, 2011, from: www.oppapers.com/subjects/diego-rod/ Krizmanic, J., (1995). â€Å"The Best of Both Worlds† Vegetarian Times Nov. 1995: 96-101. Retrieved: February 13, 2011, from: www.findarticles.com/p/articles/mi_m0820/ Kowalski, K., (1998). Alternative Medicine Is It For You? Springfield, New Jersey: Enslow Publishers. Retrieved: February 14, 2011, from: http://biography.jrank.org/pages/553/Kowalski-Kathiann-M-1955-Writings.html

My Educational Philosophy :: Philosophy of Education Teaching

My Educational Philosophy When I become a teacher I will strive to better my student’s life not only intellectually, but also socially and emotionally. I will strive to learn from them as much as I teach them; in hopes to become a better teacher to my future pupils. I was inspired to do this by a special teacher who is also my ideal teacher. Mr. Bishop, my junior high teacher, was a big role model to me; he is a teacher whom I model myself after. He is a teacher who always had an answer to everything. Sometimes, I think that he must be the wisest man I know. If you ever needed help he was there for you. Mr. Bishop is a teacher to this day that I trust in and talk to, and I think that’s the way every teacher should be. I hope that after I graduate and become a teacher that I will be someone’s role model or someone a student can come and talk to when they may have a problem and can trust in. As an educator I want to motivate my students to learn. I hope to build their confidence and self-esteem to overcome fears of failure and strive to reach their goals and dreams. There are many reasons why I want to become a teacher, but the main reason would be that I love the feeling of helping someone be the best person they can be. When I think that I would have a part in this process it makes all my efforts worth everything. Teachers play a very vital role in today’s society. Without teachers there would be no doctors, lawyers, or any other professions. Every skilled working person in America can attribute some of his or her abilities or skills to a teacher. A good teacher does not only teach curriculum, but he or she also teaches children about life. A classroom should make children feel emotionally fit, because not all of them have that stability at home. A good teacher laughs with their students, but knows when to be serious. Children need good teachers, and I intend to become one. When I become a teacher, my classroom will consist of many different colors to give the children a sense of a fun atmosphere.

John Locke helped create Modern Democracy Essay

John Locke was an English philosopher and was considered as the first British Empiricists. His contributions proved great importance to the development of epistemology and political philosophy during those times, and is regarded as the most influential thinker to contribute to the liberal theory of government. As a whole, John Locke’s importance is reflected by the American Declaration of Independence, since men by nature is free and equal, discarding the thought about having a monarch, as everyone is entitled to become a monarch. It was through John Locke’s theories that people’s eyes were opened to the reality, the fact that all of us are born free. John Locke viewed and claimed that men are naturally free and equal, versus the notion that God appointed a monarch to rule over other people. Some of the things that Locke fought for were the people’s basic rights, including the right to life, liberty, and property – these concerns became the basic foundations of laws in any particular society today (Tuckness). Looking closely at the implication of what John Locke has fought for, it is more of establishing a concrete grounding which can be used as basis of other rules and laws that you prepare. In the context of establishing a government, John Locke used the claim that men are naturally free and equal in order to justify the understanding regarding the legitimacy of a political government which is the outcome of a social contract that regards the people as the major stakeholders, and that the government will be established to ensure the stability, comfort and enjoyment of these people’s lives, liberty and property. In short, the government, though privileged to preside over the people, still rests on popular consent, and people are entitled to rebel if they see that the government is subversive of what they stand for – the protection of life, liberty and property (Tuckness). Governments, just like what we have today, exist by the consent of the people under the jurisdiction of that government. Their main purpose according to Locke is to protect these people’s rights, as well as promote public good. In relation to this, those governments who are unable to function accordingly can be resisted by the people and e replace with new governments (Blupete. com). Though nowadays it would surely undergo a very long process to replace a current government, people still have the power to pursue these measures if the need be. Locke advocated majority rule, something which is similar to the current democracy that we have today. Modern democracy as we see today can be greatly associated with what John Locke has helped establish and defended many years ago. The purpose is people empowerment, the realization of the people’s rights and fighting to preserve these rights against violators. This has led to the creation of the democratic government that we have today, and through this type of government, we live a free and equal lives, without oppression from other people, as well as injustice in the things we do. We see the democratic government not only as a ruling body in the society but also a guard that would keep watch of out precious inalienable rights as citizens of this country and as human beings. We have instated a higher ruling body to do a set of purpose, and if it doesn’t, it is our responsibility to tear it down and replace it with the ones which are more appropriate and more deserving of the position. It is not the government that runs the people, but instead, it’s the people that run the government. Works Cited: Blupete. com. â€Å"John Locke (1632-1704):The Philosopher of Freedom†. 2006. April 4 2008. . Tuckness, Alex. â€Å"Locke’s Political Philosophy†. 2005. April 4 2008. .

Social Work, Poverty & Homeless

Poverty and Homeless March 20, 2012 Poverty and Homeless Poverty Poverty can be defined in several ways and can mean different things to people of different societies. Absolute poverty is to have inadequate funds to provide a minimum standard of living for oneself or one’s family. Relative poverty is defined as doing worse off financially than the average person in a given society. Persons living in relative poverty may have no car, no television, and no toys for their children but have enough money for clothing, food and shelter.Relative to the average Americans, they are living poorly. A person or family living in absolute poverty, on the other hand, may not have enough money to pay for the rent or groceries for the month. These different ways of defining poverty are debated by government officials and researchers. How poverty is defined is integral to the task of reducing its prevalence in society. Statistics With 18. 2% (U. S. Census, 2006-2008) of people in the United Sta tes are living below the poverty level, it is increasingly important that the government should take measures regarding this context.Poverty thresholds or income levels is dependent on the number of family members. Poverty in United States of America is unique in nature with 13-17% Americans live below the poverty line in America. Although extreme poverty is virtually nonexistent in the Organization for Economic Cooperation and Development (OECD) countries, national measures indicate the presence of economic deprivation. For example, in the United States in 2006, 38. 8 million people, or 13. 3% of the population, fell below the federal poverty line (Fields, 2000).In the United States, the poverty threshold was established in 1965 based on the cost of food, taking into account household size and composition but making no adjustment for regional differences in cost of living. The threshold is adjusted annually for inflation. For example, in 2007, the federal poverty threshold for a fa mily of three, with one adult and two children, was $16,705—far above the extreme world poverty measure but well below the national average income (Filmer, 2001). Geographic LocaleOf the people living below the poverty level in the United States, 44% live in rural areas, and approximately 56% live in urban/suburban locales. Many of the contemporary stories depict characters in urban and suburban settings where people are living on the streets, in shelters, in their cars, or in apartments and homes. Race/Ethnicity An analysis of the portrayal of race is very complicated. In the United States Census Bureau (2006-2008) shows that there is more White people living in poverty in the United States than any other racial group.However, if one looks at the percentage of people living below the poverty line within racial groups, the statistics For instance, of the total number of poor people living in the United States, 46. 06% are White; however, of all of the White people living in t he United States, only 9. 2% are poor. Also, while only 1. 5% of the poor people living in the United States are Native Americans, within that population, 25. 3% are living in poverty. In other words, one out of 10 White people live in poverty versus one out of four Native Americans living in poverty (Hanushek, 2007).Negative Effects of Poverty 1. Increasing the debt and loans to meet individual consumer needs and necessities instead of working on plans for Renaissance and the construction and reconstruction. 2. Peoples' economic dependence of countries and peoples of the donor loans and debt, and the consequent negative impact in all aspects and sides. 3. Increase the exploitation and monopoly, and thus increase the poor poorer and the rich richer, because the poor because of their strong need to be unable to compete are subject to the conditions. . Poor often cannot because of lack of money to have on the use of modern technology and modern techniques. 5. Poor often are busy filli ng his hunger for knowledge and culture; there remains sufficient time for learning and culture. 6. Illiteracy, ignorance and backwardness as stated above. 7. Increasing the rate of mortality, where the link between all the experts most of the diseases of poverty, and thus the death of many people have mentioned the impact of hunger in the death of children (Levin, 2004). Root-Cause of PovertyPoverty is a big subject and an area of policy which affects every part of the USA. It is not much known about but impossible to hide. The poor suffer it, the middle class and the rich pay taxes to relieve it but at the same time they have always sought measures to contain and neutralize the poor. Multiple factors operating at various interconnected scales cause poverty. Globally, uneven trade and capital flows lead to poverty through exclusion from the benefits of economic growth. Access to water and natural resources, transportation, and climate also shape physical abilities and economic oppo rtunities.International and national policies influence poverty directly, through aid, subsidies, and antipoverty programs, and indirectly, through economic policies that affect the allocation of resources between people, regions, and industries. While some argue that individual characteristics such as education and the work ethic are paramount in explaining poverty, others insist that social and economic structures define capabilities based on gender, class, caste, race, religion, and other forces. Women are often denied access to education, paid employment, health care, financial resources, and political participation because of their gender.While these socially embedded practices deprive women of economic opportunities and basic freedoms, they also contribute to poverty indirectly through fertility and child care (Psacharopoulos, 2004). In the United States, the rise of â€Å"working poverty† has been linked to economic restructuring and the decline of the welfare state. T he role of these factors varies from place to place and underscores the importance of geography in understanding poverty. Poverty has increased recently in Western Asia and remains fairly constant in Latin America. References Fields, G. (2000). Distribution and development: a new look at the developing world.Cambridge & London: MIT Press. Filmer, D. , & Pritchett, L. (2001). Estimating wealth effects without expenditure data – or tears: an application to educational enrollments in states of India. Demography, 38(1). Hanushek, E. A. , & Wo? mann, L. (2007). The role of school improvement in economic development. NBER Working Paper 12832. Cambridge, Mass. : National Bureau of Economic Research. Psacharopoulos, G. , & Patrinos, H. (2004). Returns to investment in education: a further update. Education Economics, 12(2), Levin, B. (2004). Poverty and inner-city education. Horizons, 7(2),

An Approach to Detect and Prevent Sql Injection Attacks in Database Using Web Service

IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 197 An Approach to Detect and Prevent SQL Injection Attacks in Database Using Web Service IndraniBalasundaram 1 Dr. E. Ramaraj2 1 Lecturer, Department of Computer Science, Madurai Kamaraj University, Madurai 2 Director of Computer Centre Alagappa University, Karaikudi. Abstract SQL injection is an attack methodology that targets the data residing in a database through the firewall that shields it. The attack takes advantage of poor input validation in code and ebsite administration. SQL Injection Attacks occur when an attacker is able to insert a series of SQL statements in to a ‘query’ by manipulating user input data in to a web-based application, attacker can take advantages of web application programming security flaws and pass unexpected malicious SQL statements through a web application for execution by the backend database. This paper proposes a novel specification-ba sed methodology for the prevention of SQL injection Attacks. The two most important advantages of the new approach against xisting analogous mechanisms are that, first, it prevents all forms of SQL injection attacks; second, Current technique does not allow the user to access database directly in database server. The innovative technique â€Å"Web Service Oriented XPATH Authentication Technique† is to detect and prevent SQLInjection Attacks in database the deployment of this technique is by generating functions of two filtration models that are Active Guard and Service Detector of application scripts additionally allowing seamless integration with currently-deployed systems. General TermsLanguages, Security, Verification, Experimentation. Keywords Database security, world-wide web, web application security, SQL injection attacks, Runtime Monitoring changes to data. The fear of SQL injection attacks has become increasingly frequent and serious. . SQL-Injection Attacks are a cl ass of attacks that many of these systems are highly vulnerable to, and there is no known fool-proof defend against such attacks. Compromise of these web applications represents a serious threat to organizations that have deployed them, and also to users who trust these systems to store confidential data. The Web applications hat are vulnerable to SQL-Injection attacks user inputs the attacker’s embeds commands and gets executed [4]. The attackers directly access the database underlying an application and leak or alter confidential information and execute malicious code [1][2]. In some cases, attackers even use an SQL Injection vulnerability to take control and corrupt the system that hosts the Web application. The increasing number of web applications falling prey to these attacks is alarmingly high [3] Prevention of SQLIA’s is a major challenge. It is difficult to implement and enforce a rigorous defensive coding discipline. Many olutions based on defensive coding ad dress only a subset of the possible attacks. Evaluation of â€Å"â€Å"Web Service Oriented XPATH Authentication Technique† has no code modification as well as automation of detection and prevention of SQL Injection Attacks. Recent U. S. industry regulations such as the Sarbanes-Oxley Act [5] pertaining to information security, try to enforce strict security compliance by application vendors. 1. Introduction 1. 1 SAMPLE – APPLICATION Information is the most important business asset in today’s environment and achieving an appropriate level of Information Security. SQL-Injection Attacks (SQLIA’s) re one of the topmost threats for web application security. For example financial fraud, theft confidential data, deface website, sabotage, espionage and cyber terrorism. The evaluation process of security tools for detection and prevention of SQLIA’s. To implement security guidelines inside or outside the database it is recommended to access the sensitive databases should be monitored. It is a hacking technique in which the attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make Application that contain SQL Injection vulnerability.The example refers to a fairly simple vulnerability that could be prevented using a straightforward coding fix. This example is simply used for illustrative purposes because it is easy to understand and general enough to illustrate many different types of attacks. The code in the example uses the input parameters LoginID, password to dynamically build an SQL query and submit it to a database. For example, if a user submits loginID and password as â€Å"secret,† and â€Å"123,† the application dynamically builds and submits the query: Manuscript received January 5, 2011 Manuscript revised January 20, 2011 198IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 SELECT * from FROM loginID=’secret’ AND pass1=123 user_info WHERE If the loginID and password match the corresponding entry in the database, it will be redirect to user_main. aspx page other wise it will be redirect to error. aspx page. 1. dim loginId, Password as string 2. loginId = Text1. Text 3. password = Text2. Text 3. cn. open() 4. qry=†select * from user_info where LoginID=’† & loginID & â€Å"’ and pass1=† & password & â€Å"† 5. cmd=new sqlcommand(qry,cn) 6. rd=cmd. executereader() 7. if (rd. Read=True) Then 8. Response. redirect(â€Å"user_main. spx†) 9. else 10. Response. redirect(â€Å"error. aspx†) 11. end if 12. cn. close() 13. cmd. dispose() b. Union Query In union-query attacks, Attackers do this by injecting a statement of the form: UNION SELECT because the attackers completely control the second/injected query they can use that query to retrieve information from a specified table. The result of this attack is that th e database returns a dataset that is the union of the results of the original first query and the results of the injected second query. Example: An attacker could inject the text â€Å"’ UNION SELECT pass1 from user_info where LoginID=’secret – -† nto the login field, which produces the following query: SELECT pass1 FROM user_info WHERE loginID=’’ UNION SELECT pass1 from user_info where LoginID=’secret’ — AND pass1=’’ Assuming that there is no login equal to â€Å"†, the original first query returns the null set, whereas the second query returns data from the â€Å"user_info† table. In this case, the database would return column â€Å"pass1† for account â€Å"secret†. The database takes the results of these two queries, unions them, and returns them to the application. In many applications, the effect of this operation is that the value for â€Å"pass1† is displayed along with the account informationFigure 1: Example of . NET code implementation. 1. 2 Techniques of SQLIA’S Most of the attacks are not in isolated they are used together or sequentially, depending on the specific goals of the attacker. a. Tautologies Tautology-based attack is to inject code in one or more conditional statements so that they always evaluate to true. The most common usages of this technique are to bypass authentication pages and extract data. If the attack is successful when the code either displays all of the returned records or performs some action if at least one record is returned. Example: In this example attack, an attacker submits â€Å" ’ or 1=1 – -†The Query for Login mode is: SELECT * FROM user_info WHERE loginID=’’ or 1=1 – AND pass1=’’ The code injected in the conditional (OR 1=1) transforms the entire WHERE clause into a tautology the query evaluates to true for each row in the table and returns a ll of them. In our example, the returned set evaluates to a not null value, which causes the application to conclude that the user authentication was successful. Therefore, the application would invoke method user_main. aspx and to access the application [6] [7] [8]. c. Stored Procedures SQL Injection Attacks of this type try to execute stored procedures present in the database.Today, most database vendors ship databases with a standard set of stored procedures that extend the functionality of the database and allow for interaction with the operating system. Therefore, once an attacker determines which backend database is in use, SQLIAs can be crafted to execute stored procedures provided by that specific database, including procedures that interact with the operating system. It is a common misconception that using stored procedures to write Web applications renders them invulnerable to SQLIAs. Developers are often surprised to find that their stored procedures can be just as vulner able o attacks as their normal applications [18, 24]. Additionally, because stored procedures are often written in special scripting languages, they can contain other types of vulnerabilities, such as buffer overflows, that allow attackers to run arbitrary code on the server or escalate their privileges. CREATE PROCEDURE DBO. UserValid(@LoginID varchar2, @pass1 varchar2 AS EXEC(â€Å"SELECT * FROM user_info WHERE loginID=’† [email  protected]+ â€Å"’ and pass1=’† [email  protected]+ â€Å"’†);GO Example: This example demonstrates how a parameterized stored procedure can be exploited via an SQLIA. In the example, we assume that the query string constructed at ines 5, 6 and 7 of our example has been replaced by a call IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 to the stored procedure defined in Figure 2. The stored procedure returns a true/false value to indicate whether the u ser’s credentials authenticated correctly. To launch an SQLIA, the attacker simply injects â€Å" ’ ; SHUTDOWN; –† into either the LoginID or pass1 fields. This injection causes the stored procedure to generate the following query: SELECT * FROM user_info WHERE loginID=’secret’ AND pass1=’; SHUTDOWN; -At this point, this attack works like a piggy-back attack.The first query is executed normally, and then the second, malicious query is executed, which results in a database shut down. This example shows that stored procedures can be vulnerable to the same range of attacks as traditional application code [6] [11] [12] [10] [13] [14] [15]. d. Extended stored procedures IIS(Internet Information Services) Reset There are several extended stored procedures that can cause permanent damage to a system[19]. Extended stored procedure can be executed by using login form with an injected command as the LoginId LoginId:';execmaster.. xp_xxx;-Passwo rd:[Anything] LoginId:';execmaster.. p_cmdshell'iisreset';-Password:[Anything] select password from user_info where LoginId=†; exec master.. xp_cmdshell ‘iisreset'; –‘ and Password=† This Attack is used to stop the service of the web server of particular Web application. Stored procedures primarily consist of SQL commands, while XPs can provide entirely new functions via their code. An attacker can take advantage of extended stored procedure by entering a suitable command. This is possible if there is no proper input validation. xp_cmdshell is a built-in extended stored procedure that allows the execution of arbitrary command lines. For example: exec master.. p_cmdshell ‘dir' will obtain a directory listing of the current working directory of the SQL Server process. In this example, the attacker may try entering the following input into a search form can be used for the attack. When the query string is parsed and sent to SQL Server, the server wi ll process the following code: SELECT * FROM user_info WHERE input text =† exec master.. xp_cmdshell LoginId /DELETE'–‘ 199 Here, the first single quote entered by the user closes the string and SQL Server executes the next SQL statements in the batch including a command to delete a LoginId to the user_info table in the database. . Alternate Encodings Alternate encodings do not provide any unique way to attack an application they are simply an enabling technique that allows attackers to evade detection and prevention techniques and exploit vulnerabilities that might not otherwise be exploitable. These evasion techniques are often necessary because a common defensive coding practice is to scan for certain known â€Å"bad characters,† such as single quotes and comment operators. To evade this defense, attackers have employed alternate methods of encoding their attack strings (e. g. , using hexadecimal, ASCII, and Unicode character encoding).Common scanning an d detection techniques do not try to evaluate all specially encoded strings, thus allowing these attacks to go undetected. Contributing to the problem is that different layers in an application have different ways of handling alternate encodings. The application may scan for certain types of escape characters that represent alternate encodings in its language domain. Another layer (e. g. , the database) may use different escape characters or even completely different ways of encoding. For example, a database could use the expression char(120) to represent an alternately-encoded character x†, but char(120) has no special meaning in the application language’s context. An effective code-based defense against alternate encodings is difficult to implement in practice because it requires developers to consider of all of the possible encodings that could affect a given query string as it passes through the different application layers. Therefore, attackers have been very succe ssful in using alternate encodings to conceal their attack strings. Example: Because every type of attack could be represented using an alternate encoding, here we simply provide an example of how esoteric an alternativelyencoded attack could appear.In this attack, the following text is injected into the login field: â€Å"secret’; exec(0x73687574646f776e) – – †. The resulting query generated by the application is: SELECT * FROM user_info WHERE loginID=’secret’; exec(char(0x73687574646f776e)) — AND pass1=’’ This example makes use of the char() function and of ASCII hexadecimal encoding. The char() function takes as a parameter an integer or hexadecimal encoding of a character and returns an instance of that character. The stream of numbers in the second part of the injection is the 200 IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. , January 2011 ASCII hexadecimal encoding of the strin g â€Å"SHUTDOWN. † Therefore, when the query is interpreted by the database, it would result in the execution, by the database, of the SHUTDOWN command. References: [6] f. Deny Database service This attack used in the websites to issue a denial of service by shutting down the SQL Server. A powerful command recognized by SQL Server is SHUTDOWN WITH NOWAIT [19]. This causes the server to shutdown, immediately stopping the Windows service. After this command has been issued, the service must be manually restarted by the administrator. select password from user_info whereLoginId=';shutdown with nowait; –‘ and Password='0' The ‘–‘ character sequence is the ‘single line comment' sequence in Transact – SQL, and the ‘;' character denotes the end of one query and the beginning of another. If he has used the default sa account, or has acquired the required privileges, SQL server will shut down, and will require a restart in order to f unction again. This attack is used to stop the database service of a particular web application. Select * from user_info where LoginId=’1;xp_cmdshell ‘format c:/q /yes ‘; drop database mydb; –AND pass1 = 0 This command is used to format the C: drive used by the ttacker. 2. Related Work There are existing techniques that can be used to detect and prevent input manipulation vulnerabilities. 2. 1 Web Vulnerability Scanning Web vulnerability scanners crawl and scan for web vulnerabilities by using software agents. These tools perform attacks against web applications, usually in a black-box fashion, and detect vulnerabilities by observing the applications’ response to the attacks [18]. However, without exact knowledge about the internal structure of applications, a black-box approach might not have enough test cases to reveal existing vulnerabilities and also have alse positives. 2. 2 Intrusion Detection System (IDS) Valeur and colleagues [17] propose the use of an Intrusion Detection System (IDS) to detect SQLIA. Their IDS system is based on a machine learning technique that is trained using a set of typical application queries. The technique builds models of the typical queries and then monitors the application at runtime to identify queries that do not match the model in that it builds expected query models and then checks dynamically-generated queries for compliance with the model. Their technique, however, like most techniques based on learning, can generate large umber of false positive in the absence of an optimal training set. Su and Wassermann [8] propose a solution to prevent SQLIAs by analyzing the parse tree of the statement, generating custom validation code, and wrapping the vulnerable statement in the validation code. They conducted a study using five real world web applications and applied their SQLCHECK wrapper to each application. They found that their wrapper stopped all of the SQLIAs in their attack set without g enerating any false positives. While their wrapper was effective in preventing SQLIAs with modern attack structures, we hope to shift the focus rom the structure of the attacks and onto removing the SQLIVs. 2. 3 Combined Static and Dynamic Analysis. AMNESIA is a model-based technique that combines static analysis and runtime monitoring [1][7]. In its static phase, AMNESIA uses static analysis to build models of the different types of queries an application can legally generate at each point of access to the database. In its dynamic phase, AMNESIA intercepts all queries before they are sent to the database and checks each query against the statically built models. Queries that violate the model are identified as SQLIA’s and prevented from executing on the database.In their evaluation, the authors have shown that this technique performs well against SQLIA’s. The primary limitation of this technique is that its success is dependent on the accuracy of its static analysis f or building query models. Certain types of code obfuscation or query development techniques could make this step less precise and result in both false positives and false negatives Livshits and Lam [16] use static analysis techniques to detect vulnerabilities in software. The basic approach is to use information flow techniques to detect when tainted input has been used to construct an SQL query. These ueries are then flagged as SQLIA vulnerabilities. The authors demonstrate the viability of their technique by using this approach to find security vulnerabilities in a benchmark suite. The primary limitation of this approach is that it can detect only known patterns of SQLIA’s and, IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 because it uses a conservative analysis and has limited support for untainting operations, can generate a relatively high amount of false positives. Wassermann and Su propose an approach that uses stati c analysis combined with automated reasoning to verify that he SQL queries generated in the application layer cannot contain a tautology [9]. The primary drawback of this technique is that its scope is limited to detecting and preventing tautologies and cannot detect other types of attacks. 3. Proposed Technique This Technique is used to detect and prevent SQLIA’s with runtime monitoring. The solution insights behind the technique are that for each application, when the login page is redirected to our checking page, it was to detect and prevent SQL Injection attacks without stopping legitimate accesses. Moreover, this technique proved to be efficient, imposing only a low overhead on the Web pplications. The contribution of this work is as follows: A new automated technique for preventing SQLIA’s where no code modification required, Webservice which has the functions of db_2_XMLGenrerator and XPATH_ Validator such that it is an XML query language to select specific part s of an XML document. XPATH is simply the ability to traverse nodes from XML and obtain information. It is used for the temporary storage of sensitive data’s from the database, Active Guard model is used to detect and prevent SQL Injection attacks. Service Detector model allow the Authenticated or legitimate user to access the web applications.The SQLIA’s are captured by altered logical flow of the application. Innovative technique (figure:1) monitors dynamically generated queries with Active Guard model and Service Detector model at runtime and check them for compliance. If the Data Comparison violates the model then it represents potential SQLIA’s and prevented from executing on the database. This proposed technique consists of two filtration models to prevent SQLIA’S. 1) Active Guard filtration model 2) Service Detector filtration model. The steps are summarized and then describe them in more detail in following sections. a. Active Guard Filtration Mod elActive Guard Filtration Model in application layer build a Susceptibility detector to detect and prevent the Susceptibility characters or Meta characters to prevent the malicious attacks from accessing the data’s from database. b. Service Detector Filtration Model Service Detector Filtration Model in application layer validates user input from XPATH_Validator where the Sensitive data’s are stored from the Database at second 201 level filtration model. The user input fields compare with the data existed in XPATH_Validator if it is identical then the Authenticated /legitimate user is allowed to proceed. c. Web Service LayerWeb service builds two types of execution process that are DB_2_Xml generator and XPATH_ Validator. DB_2_Xml generator is used to create a separate temporary storage of Xml document from database where the Sensitive data’s are stored in XPATH_ Validator, The user input field from the Service Detector compare with the data existed in XPATH_ Val idator, if the data’s are similar XPATH_ Validator send a flag with the count iterator value = 1 to the Service Detector by signifying the user data is valid. Procedures Executed in Active Guard Function stripQuotes(ByVal strWords) stripQuotes = Replace(strWords, â€Å"‘†, â€Å"†Ã¢â‚¬ ) Return stripQuotesEnd Function Function killChars(ByVal strWords) Dim arr1 As New ArrayList arr1. Add(â€Å"select†) arr1. Add(â€Å"–â€Å") arr1. Add(â€Å"drop†) arr1. Add(â€Å";†) arr1. Add(â€Å"insert†) arr1. Add(â€Å"delete†) arr1. Add(â€Å"xp_†) arr1. Add(â€Å"‘†) Dim i As Integer For i = 0 To arr1. Count – 1 strWords = Replace(strWords, arr1. Item(i), â€Å"†, , , CompareMethod. Text) Next Return strWords End Function IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 202 Figure 2: proposed Architecture Procedures Executed in Service D etector navi. Compile(â€Å"/Main_Tag/Details[LoginId='† & userName & â€Å"‘ and Password=† & Password & â€Å"]†) _Public Sub Db_2_XML() adapt=New SqlDataAdapter(â€Å"select LoginId,Password from user_info†, cn) Dim nodes As XPathNodeIterator = navi. Select(expr) Dim count2 As Integer = nodes. Count. ToString() Return count2 dst = New DataSet(â€Å"Main_Tag†) End Function adapt. Fill(dst, â€Å"Details†) dst. WriteXml(Server. MapPath(â€Å"XML_DATAXML_D ATA. xml†)) End Sub Procedures Executed in Web Service _ Public Function XPath_XML_Validation(ByVal userName As String, ByVal Password As Integer) As Integer Dim xpathdoc As New XPathDocument(Server. MapPath(â€Å"XML_DATAX ML_DATA. xml†)) Dim navi As XPathNavigator = xpathdoc. CreateNavigator() Dim expr As XPathExpression = . Identify hotspot This step performs a simple scanning of the application code to identify hotspots. Each hotspot will be verified with the Active Server to remove the susceptibility character the sample code (figure: 2) states two hotspots with a single query execution. (In . NET based applications, interactions with the database occur through calls to specific methods in the System. Data. Sqlclient namespace, 1 such as Sqlcommand- . ExecuteReader (String)) the hotspot is instrumented with monitor code, which matches dynamically generated queries against query models. If a generated query is matched with Active Guard, then it is onsidered an attack. 3. 1 Comparison of Data at Runtime Monitoring When a Web application fails to properly sanitize the parameters, which are passed to, dynamically created SQL statements (even when using parameterization techniques) it is possible for an attacker to alter the construction of back-end SQL statements. IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 When an attacker is able to modify an SQL statement, the statement will execute with t he same rights as the application user; when using the SQL server to execute commands that interact with the operating system, the rocess will run with the same permissions as the component that executed the command (e. g. , database server, application server, or Web server), which is often highly privileged. Current technique (Figure: 1) append with Active Guard, to validate the user input fields to detect the Meta character and prevent the malicious attacker. Transact-SQL statements will be prohibited directly from user input. For each hotspot, statically build a Susceptibility detector in Active Guard to check any malicious strings or characters append SQL tokens (SQL keywords and operators), delimiters, or string tokens to the legitimate command.Concurrently in Web service the DB_2_Xml Generator generates a XML document from database and stored in X_PATH Validator. Service Detector receive the validated user input from Active Guard and send through the protocol SOAP (Simple Obj ect Access Protocol) to the web service from the web service the user input data compare with XML_Validator if it is identical the XML_Validator send a flag as a iterator count value = 1 to Service Detector through the SOAP protocol then the legitimate/valid user is Authenticated to access the web application, If the data mismatches the XML_Validator send a flag as a count alue = 0 to Service Detector through the SOAP protocol then the illegitimate/invalid user is not Authenticated to access the web application. In figure 3: In the existing technique query validation occur to validate a Authenticated user and the user directly access the database but in the current technique, there is no query validation . From the Active Guard the validated user input fields compare with the Service Detector where the Sensitive data is stored, db_2_XML Generator is used to generate a XML file and initialize to the class XPATH document the instance Navigator is used to search by using cursor in the selected XML document.With in the XPATH validator, Compile is a method which is used to match the element with the existing document. The navigator will be created in the xpathdocument using select method result will be redirected to the XPATH node iterator. The node iterator count value may be 1 or 0, If the flag value result in Service Detector as 1 then the user consider as Legitimate user and allowed to access the web application as the same the flag value result in Service Detector as 0 then the user consider as Malicious user and reject/discard from accessing the web application If the script builds an SQL query by concatenating hard-coded trings together with a string entered by the user, As long as injected SQL code is syntactically correct, tampering cannot be detected programmatically. String concatenation is the primary point of entry for script injection Therefore, 203 we Compare all user input carefully with Service Detector (Second filtration model). If the user input and Sensitive data’s are identical then executes constructed SQL commands in the Application server. Existing techniques directly allows accessing the database in database server after the Query validation. Web Service Oriented XPATH Authentication Technique does not allow directly to ccess database in database server. 4. EVALUATIONS The proposed technique is deployed and tried few trial runs on the web server. Table 1: SQLIA’S Prevention Accuracy SQL Injection Types Unprotected Protected 1. TAUTOLOGIES Not Prevented Prevented 2. PIGGY BACKED QUERIES Not Prevented Prevented 3. STORED PROCEDURE Not Prevented Prevented 4. ALTERNATIVE ENCODING Not Prevented Prevented 5. UNION Not Prevented Prevented Table 2: Execution Time comparison for proposed technique Total Number of Entries in Database Execution Time in Millisecond Existing Proposed Technique Technique 1000 1640000 46000 2000 1420000 93000 3000 1040000 6000 4000 1210000 62000 5000 1670000 78000 6000 1390000 107000 T he above given table 2 illustrate the execution time taken for the proposed technique with the existing technique. 4. 1 SQLIA Prevention Accuracy Both the protected and unprotected web Applications are tested using different types of SQLIA’s; namely use of Tautologies, Union, Piggy-Backed Queries, Inserting additional SQL statements, Second-order SQL injection and various other SQLIA s. Table 1 shows that the proposed technique prevented all types of SQLIA s in all cases. The proposed technique is thus a secure and robust solution to defend against SQLIA’sIJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 204 4. 2 Execution Time at Runtime Validation The runtime validation incurs some overhead in terms of execution time at both the Web Service Oriented XPATH Authentication Technique and SQL-Query based Validation Technique. Taken a sample website ETransaction measured the extra computation time at the query validation, th is delay has been amplified in the graph (figure: 4 and figure:5) to distinguish between the Time delays using bar chart shows that the data validation in XML_Validator performs better than query validation.In Query validation(figure:5) the user input is generated as a query in script engine then it gets parsed in to separate tokens then the user input is compared with the statistical generated data if it is malicious generates error reporting. Web Service Oriented XPATH Authentication Technique (figure: 4) states that user input is generated as a query in script engine then it gets parsed in to separate tokens, and send through the protocol SOAP to Susceptibility Detector, then the validated user data is sequentially send to Service Detector through the protocol SOAP then the user input is ompared with the sensitive data, which is temporarily stored in dataset. If it is malicious data, it will be prevented otherwise the legitimate data is allowed to access the Web application. 5. C ONCLUSION SQL Injection Attacks attempts to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. Any procedure that constructs SQL statements could potentially be vulnerable, as the diverse nature of SQL and the methods available for constructing it provide a wealth of coding options. 1800000 Execution time in Milli Sec 1600000 1400000 1200000 000000 Proposed Technique Existing Technique 800000 600000 400000 200000 0 1000 2000 3000 4000 5000 6000 Total Number of Entries in Database Figure4: Execution Time comparison for proposed technique (data validation in X-path) with existing technique The primary form of SQL injection consists of direct insertion of code into parameters that are concatenated with SQL commands and executed. This technique is used to detect and prevent the SQLI flaw (Susceptibility characters & exploiting SQL commands) in Susceptibility Detector and prevent the Susceptibility att acker Web Service Oriented XPATH Authentication Technique hecks the user input with valid database which is stored separately in XPATH and do not affect database directly then the validated user input field is allowed to access the web application as well as used to improve the performance of the server side validation This proposed technique was able to suitably classify the attacks that performed on the applications without blocking legitimate accesses to the database (i. e. , the technique produced neither false positives nor false negatives). These results show that our technique represents a promising approach to countering SQLIA’s and motivate further work in this irection References [1] William G. J. Halfond and Alessandro Orso , â€Å"AMNESIA: Analysis and Monitoring for Neutralizing SQLInjection Attacks†, ASE’05, November 7–11, 2005 [2] William G. J. Hal fond and Alessandro Orso, â€Å"A Classification of SQL injection attacks and countermeasure s†,proc IEEE int’l Symp. Secure Software Engg. , Mar. 2006. IJCSNS International Journal of Computer Science and Network Security, VOL. 11 No. 1, January 2011 [3] Muthuprasanna, Ke Wei, Suraj Kothari, â€Å"Eliminating SQL Injection Attacks – A TransparentDefenceMechanism†, SQL Injection Attacks Prof. Jim Whitehead CMPS 183. Spring 2006, May 17, 2006 4] William G. J. Hal fond, Alessandro Orso, â€Å"WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation IEEE Software Engineering, VOL. 34, NO. 1January/February 2008 [5] K. Beaver, â€Å"Achieving Sarbanes-Oxley compliance for Web applications†, http://www. spidynamics. com/support/whitepapers/, 2003 [6] C. Anley, â€Å"Advanced SQL Injection In SQL Server Applications,† White paper, Next Generation Security Software Ltd. , 2002. [7] W. G. J. Halfond and A. Orso, â€Å"Combining Static Analysis and Runtime Monitoring to Counter SQL Injection Attacks,† 3rd International Workshop on Dynamic Analysis, 2005, pp. – 7 [8] Z. Su and G. Wassermann, â€Å"The Essence of Command Injection Attacks in Web Applications,† 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, 2006, pp. 372-382. [9] G. Wassermann and Z. Su. An Analysis Framework for Security in Web Applications. In Proceedings of the FSE Workshop on Specification and Verification of componentBased Systems (SAVCBS 2004), pages 70–78, 2004. [10] P. Finnigan, â€Å"SQL Injection and Oracle – Parts 1 & 2,† Technical Report, Security Focus, November 2002. http://securityfocus. com/infocus/1644 [11] F. Bouma, â€Å"Stored Procedures are Bad, O’kay,† Technical report,Asp. Net Weblogs, November 2003. http://weblogs. asp. net/fbouma/archive/2003/11/18/38178. as px. [12] E. M. Fayo, â€Å"Advanced SQL Injection in Oracle Databases,† Technical report, Argeniss Information Security, Black Hat Briefings, Black Hat USA, 2 005. [13] C. A. Mackay, â€Å"SQL Injection Attacks and Some Tips on How to Prevent them,† Technical report, The Code Project, January 2005. http://www. codeproject. com/cs/database/ qlInjectionAttacks. asp. [14] S. McDonald. SQL Injection: Modes of attack, defense, and why it matters. White paper, GovernmentSecurity. org, April 2002. http://www. governmentsecurity. rg/articles/SQLInjectionM odesofAttackDefenceandWhyItMatters. php [15] S. Labs. SQL Injection. White paper, SPI Dynamics, Inc. ,2002. http://www. spidynamics. com/assets/documents/Whitepaper SQLInjection. pdf. [16] V. B. Livshits and M. S. Lam. Finding Security Errors in Java Programs with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271–286, Aug. 2005. [17] F. Valeur and D. Mutz and G. Vigna â€Å"A Learning-Based Approach to the Detection of SQL Attacks,† In Proceedings of the Conference on Detection of Intrusions and Malware Vulnerability Assessment (DIMVA), July 20 05. [18] Kals, S. Kirda, E. , Kruegel, C. , and Jovanovic, N. 2006. SecuBat: a web vulnerability scanner. In Proceedings of the 205 15th International Conference on World Wide Web. WWW '06. ACM Press, pp. 247-256. [19] Sql injection – HSC Guides – Web App Security Written by Ethical Hacker sunday, 17 February 2008. http://sqlinjections. blogspot. com/2009/04/sql-injection-hscguides-web-app. html. Prof. E. Ramaraj is presently working as a Technology Advisor, Madurai Kamaraj University, Madurai, Tamilnadu, India on lien from Director, computer centre at Alagappa university, Karaikudi. He has 22 years teaching experience and 8 years esearch experience. He has presented research papers in more than 50 national and international conferences and published more than 55 papers in national and international journals. His research areas include Data mining, software engineering, database and network security. B. Indrani received the B. Sc. degree in Computer Science, in 2002; t he M. Sc. degree in Computer Science and Information Technology, in 2004. She had completed M. Phil. in Computer Science. She worked as a Research Assistant in Smart and Secure Environment Lab under IIT, Madras. Her current research interests include Database Security.