SQL injection prevention method, device and system

An injection time, syntax tree technology, applied in the computer field, can solve problems such as lack of learning flow, difficulty, wrong learning, etc.

Inactive Publication Date: 2014-10-29
NSFOCUS INFORMATION TECHNOLOGY CO LTD +1
View PDF3 Cites 12 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0010] However, the above method 1) can be used in many forms of SQL injection attacks, it is difficult to describe all possible attack forms with a set of attack characteristic rules, and will not hit normal SQL statements, so there are high false positives, The problem of high underreporting
The above method 2) has the problem of over-learning and under-learning. Over-learning usually means that the attack traffic is mixed into the normal traffic and learned by mistake, which leads to the characteristics of the attack being brought into the final normal traffic model. At this time, when detecting It will lead to the problem of false negatives; under-learning usually means that the learning traffic does not contain all normal traffic patterns, resulting in the model of some normal traffic not being learned, which will lead to false positives during the detection process
The above method 3) cannot handle injection in HTTPS requests; cannot handle applications that encode parameters (need to be modified and implemented for specific applications), so the application scenarios of this method are limited; in addition, this method is still suitable for complex SQL injection attacks. There are some false positives and false negatives
It can be seen that there are problems of false positives and false negatives in related technologies.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • SQL injection prevention method, device and system
  • SQL injection prevention method, device and system
  • SQL injection prevention method, device and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0099] Such as Figure 4 As shown, taking the client web client to embed semantic information into SQL statements, and the database server to complete the detection of SQL injection as an example, the method for defending against SQL injection in the embodiment of the present invention will be described in detail. The method includes step 401 - step 411:

[0100] Step 401: Before sending the SQL statement, the Web client embeds the semantic information into the SQL statement to generate submission data including the SQL statement and the semantic information, wherein the semantic information includes an SQL template corresponding to the SQL statement and are used to mark the start and end symbols of the SQL template.

[0101] Step 402: the web client sends the submitted data to the database server.

[0102] Step 403: the database server receives the submission data sent by the web client.

[0103] Step 404: The database server judges whether the submitted data includes the ...

Embodiment 2

[0114] Such as Figure 5 As shown, taking the detection of user login statements that do not include SQL injection as an example, the method for defending against SQL injection in the embodiment of the present invention will be described in detail. The method includes steps 501-step 508:

[0115] Step 501: The web client receives the data input by the user, wherein the user name is admin, and the password is 123456.

[0116] Among them, the source code snippet of the SQL statement generated by the Web client:

[0117] "SELECT*FROM users WHERE user='"+name+"'AND passwd='"+pass+"'"

[0118] The SQL template corresponding to the SQL statement generated by this source code fragment is:

[0119] SELECT * FROM users WHERE name=$ AND passwd=$

[0120] Step 502: the Web client generates submitted data including SQL statements and semantic information.

[0121] Among them, the submitted data is:

[0122] [SELECT*FROM users WHERE name=$AND passwd=$]SELECT*FROM users WHERE name='adm...

Embodiment 3

[0133] Such as Figure 8 As shown, taking the detection of a user login statement including SQL injection as an example, the method for defending against SQL injection in the embodiment of the present invention will be described in detail. The method includes steps 801-808:

[0134] Step 801: The web client receives the data input by the user, wherein the user name is admin, and the password password is 'or1='1.

[0135] Among them, the source code fragment of the SQL statement generated by the Web client is:

[0136] "SELECT*FROM users WHERE user='"+name+"'AND passwd='"+pass+"'"

[0137] The SQL template corresponding to the SQL statement generated by the source code fragment is:

[0138] SELECT * FROM users WHERE name=$ AND passwd=$

[0139] Step 802: the Web client generates submitted data including SQL statements and semantic information.

[0140] Among them, the submitted data is:

[0141] [SELECT*FROM users WHERE name=$AND passwd=$]SELECT*FROM users WHERE name='admi...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to the technical field of computers and discloses an SQL injection prevention method, device and system. The method includes the steps that before a structured query language (SQL) statement is sent to a database server, semantic information is embedded into the SQL statement, and submitted data containing the SQL statement and the semantic information are generated, wherein the semantic information contains an SQL template corresponding to the SQL statement, a start symbol and an end symbol, and the start symbol and the end symbol are used for marking the position of the SQL template; the submitted data are sent to the database server. Through the method, it is effectively avoided that sensitive data in the server are obtained by an attacker through SQL injection and then are used for attacking application programs, and thus error reports and failure reports are avoided.

Description

technical field [0001] The invention relates to the field of computer technology, in particular to a method, device and system for defending against SQL injection. Background technique [0002] With the development of B / S (browser / server) mode application development, more and more programmers use this mode to write application programs. The legitimacy of the data input by the user is detected, which makes the application program have certain security risks, and causes the application program to have the risk of Structured Query Language (SQL, Structured Query Language) injection. [0003] SQL is a database query and programming language for accessing data and querying, updating, and managing relational database systems; while SQL injection inserts SQL commands into Web forms, or enters SQL commands into domain names, or inserts SQL commands Inserted into the query string of the page request, and finally trick the server to execute malicious SQL commands. Attackers attack ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/56G06F17/30
CPCG06F21/52G06F16/2433
Inventor 张云海
Owner NSFOCUS INFORMATION TECHNOLOGY CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap