Mixed structured query language (SQL) injection protection method

A security protection and syntax tree technology, which is applied in special data processing applications, instruments, electrical digital data processing, etc., to achieve performance improvement, increase accuracy, and avoid accuracy and false alarm rates

Inactive Publication Date: 2012-09-19
STATE GRID ELECTRIC POWER RES INST
View PDF4 Cites 29 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

By using the two methods together, on the one hand, it can well alleviate the problems of insufficient coverage and matching accuracy that pattern matching may bring; on the other hand, it can solve the high recognition rate and high misjudgment rate that fe

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Mixed structured query language (SQL) injection protection method
  • Mixed structured query language (SQL) injection protection method
  • Mixed structured query language (SQL) injection protection method

Examples

Experimental program
Comparison scheme
Effect test

specific example

[0067] (1) select * from a where username = ‘chenfeng’ and passwd = 123;

[0068] (2) select * from USER_CATALOG where name = ‘chen’or 1=1;

[0069] (3) select * from person where age = 24 and name = ‘li’ and 1=1;

[0070] 402: parse the SQL statement to generate a syntax tree, if there is an error in the analysis, jump to step 407;

[0071] 403: Analyze the syntax tree to obtain access behavior characteristics, and match the access behavior characteristics with the knowledge base. If the matching is unsuccessful, skip to step 407, otherwise skip to step 404;

[0072] For (1) select * from a where username = ‘chenfeng’ and passwd = 123, its database access behavior:

[0073] Database object name Types of operating 1a table Inquire 2 username Column Inquire 3 passwd Column Inquire

[0074] Match the access behavior with the database behavior pool, refer to the matching process image 3 ;

[0075] As in the above steps, select * from USER_CATALOG where name = ‘chen’or 1=1 access behavi...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a mixed structured query language (SQL) injection protection method, which combines a static mode matching technology and a dynamic characteristic filtering technology. The method comprises the following steps of: automatically learning all legal SQL sentences of a service system in security environment, and constructing a knowledge base; and matching the SQL sentences with the knowledge base by using a mode matching algorithm in real-time working environment, and if matching succeeds, determining that the SQL sentences are legal. The SQL sentences which are unsuccessfully matched are not immediately determined to be illegal, deep characteristic check is performed by using a characteristic filtering algorithm based on a value-at-risk, and the truly illegal SQL sentences are identified. A mode matching method and a characteristic filtering method are matched and combined with each other, so a good effect is achieved, and a conflict between accuracy rate and mis-alarm rate caused by the conventional injection protection method can be well solved.

Description

Technical field [0001] The invention relates to a database SQL injection protection method, in particular to a SQL injection protection method using pattern matching and feature filtering. Background technique [0002] With the development of the Internet, the development of business dynamic websites based on the B / S model is more and more favored by major companies. Most of this model adopts the platform architecture of ASP (.NET)+SQL+IIS, so use this model to write There are more and more application programmers. However, the uneven level of programmers and the immaturity of security defense technology have brought many insecure factors to the application system. Most web application systems need to interact with users, receive data from users and process them. If an attacker deliberately enters maliciously constructed data, the malicious code contained in these data will be processed by the system or Other clients execute, thus causing damage to the server or client, this is...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F17/30
Inventor 石聪聪余勇林为民张涛张小建郭骞蒋诚智范杰冯谷费稼轩俞庚申高鹏李尼格鲍兴川曹宛恬
Owner STATE GRID ELECTRIC POWER RES INST
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap