Method for detecting SQL (structured query language) injection vulnerability

A vulnerability detection and injection point technology, applied in the field of network information security, can solve the problem that SQL injection is difficult to guarantee no false positives, etc., and achieve the effect of improving accuracy and reducing false alarm rate

Inactive Publication Date: 2011-09-14
BEIJING INSTITUTE OF TECHNOLOGYGY
View PDF6 Cites 38 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Generally, only enterprise-level applications are used. Although it can be made more secure by paying a lot of extra cost, it still cannot completely prevent SQL injection attacks fundamentally.
[0016] Generally speaking, because of the concealment and diversity of its attacks, and some keywords are often used by ordinary users, the difficulty in detecting SQL injection is that it is difficult to ensure that there are no missed reports and good reports.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for detecting SQL (structured query language) injection vulnerability
  • Method for detecting SQL (structured query language) injection vulnerability
  • Method for detecting SQL (structured query language) injection vulnerability

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0050] The preferred embodiments of the present invention will be specifically described below in conjunction with the accompanying drawings.

[0051] This embodiment specifically implements a SQL injection vulnerability detection method described in the present invention, comprising the following steps:

[0052] 1. User input data interception:

[0053] In the step of intercepting user input data, how to completely obtain the parameters that the user may submit to the application program while ignoring the data irrelevant to the database is the key to the subsequent detection work.

[0054] In this embodiment, two methods are provided to obtain input data:

[0055] 1. A standard web application always needs to be accessed through a server (or the application itself is a server), and the most common and popular web server always provides us with a set of interfaces to reproduce the data submitted by users. Processing, that is, the core component of the WEB server, can be und...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a method for detecting SQL (structured query language) injection vulnerability, comprising the following steps: 1, capturing user input data; 2, generating harmless input; 3, carrying out SQL lexical analysis and syntactic analysis to generate SQL syntax trees, wherein the SQL syntax trees comprise a syntax tree based on user input word strings and a syntax tree based on harmless word strings; 4, comparing the two SQL syntax trees, and if the two SQL syntax trees are same, considering a group of testing word strings to pass a test; and 5, responding the result, if a user attempting to carry out SQL injection is found out, blocking an HTTP (hyper text transport protocol) package, and otherwise, releasing the HTTP package. In the method, analyzed objects are input by the user directly or indirectly, thus maximally restoring the real intentions of the user and reducing the rate of false alarm; and meanwhile, based on the analysis of the SQL syntax trees, the SQL injection can be blocked fundamentally, thereby improving the accuracy rate of the detection.

Description

technical field [0001] The invention relates to a detection method aimed at SQL injection threats that can be used for web protection and intrusion detection, and belongs to the field of network information security. Background technique [0002] The relationship between the database and the WEB has become more and more close, and the web is convenient and fast, and the characteristics of a wide range of user groups make B / S development more popular year by year. It can be said that the web has greatly expanded the user group of the database, making it really affect the personal lifestyle. But while the web brings these advantages to the database, it also brings many hidden dangers to the database. Among them, the most harmful and the most attack methods, the most difficult to prevent is the SQL injection (SQL Injection) attack. [0003] In the common front-end language of WEB applications, such as ASP.NET, PHP or JSP, a typical SQL statement for processing login can be wr...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/08G06F17/30H04L29/06
Inventor 金福生宋挺戴银涛牛振东韩翔宇
Owner BEIJING INSTITUTE OF TECHNOLOGYGY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap