Method and system for SQL injection and defense

Abstract

The invention provides an SQL injection and defense method aiming at a data base, which comprises the following steps: (a), receiving SQL statements accessing a data base and sent out by an application system; (b), performing the injection judging and checking to the SQL statements; if the SQL statements are SQL injection, intercepting the SQL injection, recording the mistake, and returning the abnormal information to the application system; if the SQL statements are not the SQL injection, querying an operational interface specification of the corresponding data base required to be accessed by the SQL statements, and splicing SQL statements conform to the data base operational interface specification; (c), sending the specified SQL statements spliced in the step (b) to a corresponding data base to perform data base operation; (d), returning the queried result to the application system. According to the invention, a data base agent server is arranged as per the method provided by the invention, an operation and maintenance method is used for rejecting access permission of any other application system except the data base agent server to the data base, thereby preventing the SQL injection.

Description

technical field [0001] The invention relates to the field of computer network information security protection, in particular to an improved SQL injection defense method and system. Background technique [0002] With the popularity of Web applications and browser / server (B / S) mode applications, the security issues of Web applications are also increasingly concerned. SQL injection attack is the most common web application attack technique, and the security damage caused by SQL injection attack is also irreparable. The so-called SQL injection attack is that the attacker inserts SQL commands into the input field of the Web form or the query string of the page request to trick the server into executing malicious SQL commands. In some forms, the content entered by users is directly used to construct or affect dynamic SQL commands, or as input parameters of stored procedures. Such forms are particularly vulnerable to SQL injection attacks. [0003] SQL injection can be divided in...

AI Technical Summary

Problems solved by technology

One is the problem of missed judgment of keywords. According to the flexibility of SQL statements, experienced attackers can easily bypass the preset keywords on the server side to attack, which reduces the accuracy of SQL injection detection.

The second is the problem of misjudging keywords

This method is based on known safe SQL, but is limited by the integrity of SQL. Its disadvantage is that not only "sufficient" SQL is required for the system to learn the known SQL syntax tree, but how to define "sufficient" is difficult

If a large amount of learning is required to achieve the so-called "sufficient" standard, the learning cost and execution efficiency will be seriously affected

In addition, the knowledge base method cannot exhaustively enumerate all SQL syntax trees, so false positives cannot be avoided

At present, the occurrence of false positives can only be reduced by continuously updating the legal SQL statement knowledge base, which is very cumbersome and inefficient

Images