Method and device for constructing SQL statement

A statement and construction technology, applied in the field of constructing structured query language statements, can solve problems such as security risks

Active Publication Date: 2010-12-22
浙江银泰电子商务有限公司
View PDF3 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0009] The purpose of the embodiments of the present invention is to provide a method and device for constructing SQL statements, so as to solve potential safety hazards that may exist during the execution of system programs, and ensure that the generated SQL statements are safe

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and device for constructing SQL statement
  • Method and device for constructing SQL statement
  • Method and device for constructing SQL statement

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0109] Embodiment 1: Construct query and / or delete type SQL statement

[0110] a. Obtain information for constructing the SQL statement, and find out all variables from the information for constructing the SQL statement. Here, the information used to construct the SQL statement is information for query and / or delete type SQL statements.

[0111] b. Add single quotation marks to all the information used to construct the SQL statement except the variables; thus ensuring that this part of the content cannot be constructed using variables.

[0112] c. Perform filtering operations on all the variables, specifically including:

[0113] c1. Find the variables belonging to the first category from all the variables, that is, find out the field name variable and the table name variable, and judge whether the field name variable and the table name variable are within the predetermined range value, if so The first type of variable passes the filter operation, otherwise it will give an e...

Embodiment 2

[0153] Embodiment 2: Constructing an insert-type SQL statement

[0154] a. Obtain information for constructing the SQL statement, and find out all variables from the information for constructing the SQL statement. Here, the information for constructing the SQL statement is information for an insert-type SQL statement.

[0155] b. Add single quotation marks to all the information used to construct the SQL statement except the variables; thus ensuring that this part of the content cannot be constructed using variables.

[0156] c. Perform filtering operations on all the variables, specifically including:

[0157] c1. Find the variables belonging to the first category from all the variables, that is, find out the field name variable and the table name variable, and judge whether the field name variable and the table name variable are within the predetermined range value, if so The first type of variable passes the filter operation, otherwise it will give an error message or ret...

Embodiment 3

[0191] Embodiment 3: Constructing an update-type SQL statement

[0192] a. Obtain information for constructing the SQL statement, and find out all variables from the information for constructing the SQL statement. Here, the information for constructing the SQL statement is information for an update-type SQL statement.

[0193] b. Add single quotation marks to all the information used to construct the SQL statement except the variables; thus ensuring that this part of the content cannot be constructed using variables.

[0194] c. Perform filtering operations on all the variables, specifically including:

[0195] c1. Find the variables belonging to the first category from all the variables, that is, find out the field name variable and the table name variable, and judge whether the field name variable and the table name variable are within the predetermined range value, if so The first type of variable passes the filter operation, otherwise it will give an error message or ret...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a method and device which are used for constituting SQL sentences. The method comprises the following steps: obtaining information for constituting the SQL sentences; finding all variables from the information; adding single quotation marks to other information for constituting the SQL sentences except the variables; filtering all variables; combining the variables and theother information for constituting the SQL sentences in the single quotation marks except the variables so as to generate the SQL sentences. Due to the adoption of the invention, when the SQL sentences are constituted, all variables in the SQL sentences are filtered and non-variable parts are protected by adding the single quotation marks so as to prevent the intermediate operation which is afterinitialization filtration and before the generation of the SQL sentences from being used by an attacker, thereby possible hidden safety troubles during the execution of a system program are avoided and the safety of the generated SQL sentences is ensured. The method overcomes SQL infusion attack in a Web system program.

Description

technical field [0001] The present invention relates to the technical field of software, in particular to a method and device for constructing Structured Query Language (SQL, Structure Query Language) statements. Background technique [0002] Structured Query Language (SQL, Structure Query Language) is a database-oriented general data processing language specification. SQL injection attack refers to the fact that the attacker exploits the defects in the existing system program to filter the data input by users with incomplete special characters, injects malicious SQL commands into the server database engine for execution, and achieves the purpose of stealing data and even controlling the server. [0003] SQL injection can exist in any system program that utilizes the background database, the most common ones are Web system programs such as PHP / JSP / ASP. The Web system program is an application mode that uses Hypertext Transfer Protocol (HTTP, Hypertext Transfer Protocol) to ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/22G06F17/30G06F21/51
Inventor 林耀纳
Owner 浙江银泰电子商务有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap