Unlock instant, AI-driven research and patent intelligence for your innovation.

Second-order SQL injection attack defense method

A technique of injecting attacks and statements, applied in the information field, can solve problems such as complex second-order SQL injection, data loss and tampering, and system control, so as to reduce attack loads stored in the database, defend against SQL injection attacks, and improve security protection Effect

Pending Publication Date: 2020-01-03
HUNAN UNIV
View PDF4 Cites 2 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The harm brought by the second-order SQL injection is the same as that of the equivalent first-order SQL injection, which will cause information leakage, data loss and tampering, and even cause the system to be controlled, etc.
But the second-order SQL injection is more complex, more concealed, and difficult to detect

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Second-order SQL injection attack defense method
  • Second-order SQL injection attack defense method
  • Second-order SQL injection attack defense method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0038]Embodiment 1 is an example of a second-order SQL injection attack in which user input includes SQL keywords. Assuming that the attacker registers on a certain website, enter "test'or 1=1;--" as the user name, and "123" as the password, and the corresponding static SQL statement in the WEB source program is INSERT INTO User(userName,password) VALUES('?','?'); Assuming that the randomly generated number r and the shared key K are subjected to XOR operation, R is 6573. After SQL keyword conversion, the static SQL statement becomes INSERT6573 INTO6573 User(userName ,password)VALUES6573('?','?'); The WEB server splices the static SQL statement part and the user dynamic input part, and the SQL statement at this time is INSERT6573INTO6573 User(userName,password)VALUES6573('test'or 1 =1; --', '123'); The proxy server deployed and configured by the present invention intercepts the SQL statement that the WEB server sends to the database server, and finds that the user input contai...

Embodiment 2

[0040] Embodiment 2 is an example of a second-order SQL injection attack in which the user input does not contain SQL keywords. Suppose an attacker registers on a certain website, enters "admin';--" as the user name, and "123" as the password. The corresponding static SQL statement in the WEB source program is INSERT INTO User(userName,password)VALUES('?','?'); assuming that the randomly generated number r and the shared key K are subjected to XOR operation, R is 6573 , the static SQL statement becomes INSERT6573 INTO6573 User(userName,password)VALUES6573('?','?') after SQL keyword transformation; the WEB server splices the static SQL statement part with the user's dynamic input part. At this time The SQL statement is INSERT6573 INTO6573User (userName, password) VALUES6573 ("admin';--", "123"); the proxy server that has realized the scheme of the present invention intercepts the SQL statement that the WEB server sends to the database server, and uses the regular expression met...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a second-order SQL (Structured Query Language) injection attack defense method, which is used for analyzing SQL statements from two aspects of storage and triggering and carrying out defense. On one hand, the invention has the advantages that, the attack load stored in the database is greatly reduced; and on the other hand, the data of the database is no longer subjected tosplit-phase operation, and the data is verified before the data of the database is taken out and stored in the memory, so that the triggering of SQL injection attacks is blocked, SQL injection attackbehaviors are effectively defended, and the safety protection of the Web server and the background database of the Web server is greatly improved.

Description

Technical field: [0001] The invention belongs to the field of information technology, and in particular relates to a second-order SQL injection attack defense method. Background technique: [0002] With the advent of the WEB2.0 era, more and more database-based WEB applications are used in the business systems of various enterprises. However, if the developer lacks the corresponding security awareness, there will be a lot of security risks in the application. There are many factors that affect the security of web applications, among which SQL injection attacks are the most common and easiest to implement. A SQL injection attack refers to an attacker inserting SQL commands into the input domain name or query string of a page request submitted by a web form, in order to trick the database into running offensive SQL commands. [0003] The patent application number CN201610972899.2 discloses a SQL injection attack defense system and defense method based on syntax transformatio...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/56G06F16/2452
CPCG06F21/563G06F16/2452
Inventor 刘敏曾华光
Owner HUNAN UNIV
PatSnap Eureka logo

PatSnap Eureka turns technology decisions into work you can execute. Powered by our Innovation Knowledge Graph, it runs expert workflows across engineering, life sciences, materials and intellectual property. Get your review-ready output in minutes.

X (Twitter)LinkedInYouTubeSubstack

© 2026 PatSnap. All rights reserved. 

Terms of Service

 | 

Privacy policy

 | 

Modern Slavery Act Transparency Statement