Nothing Special   »   [go: up one dir, main page]

CN107644175A - A kind of method for preventing SQL injection - Google Patents

A kind of method for preventing SQL injection Download PDF

Info

Publication number
CN107644175A
CN107644175A CN201710823393.XA CN201710823393A CN107644175A CN 107644175 A CN107644175 A CN 107644175A CN 201710823393 A CN201710823393 A CN 201710823393A CN 107644175 A CN107644175 A CN 107644175A
Authority
CN
China
Prior art keywords
sql
sql statement
injection
sql injection
statement
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710823393.XA
Other languages
Chinese (zh)
Inventor
魏兴慎
刘苇
韦小刚
祁龙云
吕小亮
宋子锋
黄益彬
韩勇
郭靓
杨维永
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nari Information and Communication Technology Co
Nanjing NARI Group Corp
Original Assignee
Nari Information and Communication Technology Co
Nanjing NARI Group Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nari Information and Communication Technology Co, Nanjing NARI Group Corp filed Critical Nari Information and Communication Technology Co
Priority to CN201710823393.XA priority Critical patent/CN107644175A/en
Publication of CN107644175A publication Critical patent/CN107644175A/en
Pending legal-status Critical Current

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of method for preventing SQL injection, including:1, Application Agent and agency service consult generation encryption key;2, Application Agent is encrypted using encryption key to the keyword of SQL statement, and being spliced into SQL statement with user's input sends to agency service;3, the SQL statement that agency service is encrypted to keyword is decrypted, and the SQL statement after SQL statement to encryption and decryption performs morphological analysis and syntactic analysis generative grammar tree simultaneously, if syntax trees that both generate differ, then it is assumed that SQL injection risk be present;If both are identical, then it is assumed that in the absence of SQL injection, the SQL statement after decryption are sent into database and performed.The present invention can be detected accurately using normal SQL statement and SQL statement syntax tree this characteristic that changes after injecting to SQL injection.

Description

一种防止SQL注入的方法A way to prevent SQL injection

技术领域technical field

本发明涉及信息安全技术领域,具体涉及一种防止SQL注入的方法。The invention relates to the technical field of information security, in particular to a method for preventing SQL injection.

背景技术Background technique

SQL(Structured Query Language)是一种针对数据库的结构化查询语言,SQL语法多基于ANSI标准SQL92。一个SQL语句可执行一次查询请求或对数据库执行一次增删改操作。Web2.0时代的大量网站都是基于SQL进行数据的访问和保存,其中存在大量的代码都没有在应用侧对用户输入进行足够的安全检查,这些未经安全检查的SQL语句中可能包含了用户的恶意输入、Server变量注入和Cookie注入的恶意内容,例如SQL的某些恶意字符串等。这些用户输入在用户侧被拼接成为合法的SQL语句并在服务器上执行从而造成数据库中敏感数据泄露、数据库数据丢失。这将导致网站、数据库和数据都面临巨大安全风险。因此防御SQL注入成为服务提供者极为重要的安全任务。SQL (Structured Query Language) is a structured query language for databases, and the SQL syntax is mostly based on the ANSI standard SQL92. A SQL statement can execute a query request or perform an addition, deletion, and modification operation on the database. A large number of websites in the Web 2.0 era are based on SQL for data access and storage, and there are a large number of codes that do not perform sufficient security checks on user input on the application side. These SQL statements without security checks may contain user data. Malicious input, Server variable injection, and malicious content injected by Cookie, such as certain malicious strings of SQL, etc. These user inputs are spliced into legal SQL statements on the user side and executed on the server, resulting in leakage of sensitive data in the database and loss of database data. This will lead to huge security risks for websites, databases and data. Therefore, defense against SQL injection has become an extremely important security task for service providers.

SQL注入通常分为:(1)使用注释符(--##)截断正常查询语句或绕过SQL验证;(2)重言式攻击:在SQL的where条件中注入语句,使条件恒真,绕过验证提取数据;(3)不合法逻辑错误查询,获取数据库的信息,为下一步攻击做准备;(4)Union查询攻击,借助SQL关键字Union绕过数据库的验证,窃取数据;(5)附带查询攻击是当数据库允许执行多条语句时,在正常的SQL语句中执行任何SQL语句,达到攻击目的;(6)利用存储过程攻击是构造执行存储过程的命令达到攻击的目的;(7)推断则是在数据库管理员安全色织后,不合法逻辑错误的查询无法获取足够的信息,但使用推断方法,构造查询请求,根据数据库返回的响应内容,推断可注入的参数;(8)编码替换攻击将注入的文本替换编码,逃避检测;(9)二阶注入首先将攻击所用的编码合法的存入到数据库中,然后在数据库中合法读取攻击字段发起攻击。SQL injection is usually divided into: (1) Use comment characters (--##) to truncate normal query statements or bypass SQL verification; (2) Tautology attacks: Inject statements in SQL where conditions to make the conditions constant, Bypassing verification to extract data; (3) Illegal logical error query to obtain database information and prepare for the next attack; (4) Union query attack, using the SQL keyword Union to bypass database verification and steal data; (5) ) Incidental query attack is to execute any SQL statement in a normal SQL statement when multiple statements are allowed to be executed in the database, so as to achieve the purpose of attack; ) inference means that after the database administrator securely weaves, the query with illegal logic error cannot obtain enough information, but use the inference method to construct the query request, and infer the parameters that can be injected according to the response content returned by the database; (8) The code replacement attack replaces the code with the injected text to avoid detection; (9) the second-order injection first legally stores the code used in the attack into the database, and then legally reads the attack field in the database to launch the attack.

SQL注入的检测方法通常包括白名单、黑名单技术即只有在白名单中的SQL语句才会被执行,在黑名单上的SQL/IP/关键字无法执行;特征检测技术认为注入的SQL语句通常带有一定的特征,如用户输入包含注释符,包含多条语句或包含SQL的关键字等,基于积累的安全特征进行SQL注入检查。很明显上述方法存在一定的局限性:基于特征检测的结果则取决于对注入攻击的特征集合是否全面、准确;白名单或黑名单技术则严格限制用户可使用的SQL语句必须在指定的SQL语句集合中,灵活性受到限制。The detection methods of SQL injection usually include whitelist and blacklist technology, that is, only the SQL statements in the whitelist will be executed, and the SQL/IP/keywords on the blacklist cannot be executed; feature detection technology believes that the injected SQL statement is usually With certain characteristics, such as user input containing comments, multiple statements or keywords containing SQL, etc., SQL injection checks are performed based on accumulated security features. It is obvious that the above methods have certain limitations: the result of feature-based detection depends on whether the feature set of injection attacks is comprehensive and accurate; the whitelist or blacklist technology strictly restricts the SQL statements that users can use to be within the specified SQL statement In collections, flexibility is limited.

发明内容Contents of the invention

本发明的目的在于克服现有技术中的不足,提供了一种防止SQL注入的方法,实现SQL注入的高效检测。The purpose of the present invention is to overcome the deficiencies in the prior art, provide a method for preventing SQL injection, and realize efficient detection of SQL injection.

为解决上述技术问题,本发明提供了一种防止SQL注入的方法,其特征是,包括以下步骤:For solving the above-mentioned technical problems, the present invention provides a kind of method for preventing SQL injection, it is characterized in that, comprises the following steps:

步骤S1,应用程序代理和代理服务协商生成加密秘钥;Step S1, the application agent negotiates with the agent service to generate an encryption key;

步骤S2,应用程序代理利用加密密钥对SQL语句的关键字加密,与用户输入拼接成SQL语句发送至代理服务;Step S2, the application program agent uses the encryption key to encrypt the keyword of the SQL statement, and splices the SQL statement with the user input and sends it to the proxy service;

步骤S3,代理服务对关键字加密的SQL语句进行解密,并对加密的SQL语句和解密后的SQL语句同时执行词法分析和语法分析生成语法树,若两者生成的语法树不相同,则认为存在SQL注入风险;若两者相同,则认为不存在SQL注入,将解密后的SQL语句发送到数据库执行;In step S3, the agent service decrypts the keyword-encrypted SQL statement, and simultaneously performs lexical analysis and syntax analysis on the encrypted SQL statement and the decrypted SQL statement to generate a syntax tree. If the syntax trees generated by the two are different, it is considered There is a risk of SQL injection; if the two are the same, it is considered that there is no SQL injection, and the decrypted SQL statement is sent to the database for execution;

步骤S4,数据库执行此SQL语句并返回执行的结果,代理服务在收到数据库返回结果后,转发给应用程序代理。Step S4, the database executes the SQL statement and returns the execution result, and the agent service forwards the result to the application agent after receiving the result returned by the database.

进一步的,步骤S1中,加密秘钥协商可采用非对称加密算法实现或用相同的随机化种子生成的随机数序列作为加密和解密秘钥。Further, in step S1, the encryption key negotiation may be implemented by using an asymmetric encryption algorithm or using a random number sequence generated by the same randomization seed as an encryption and decryption key.

进一步的,步骤S2中,对SQL语句的关键字加密采用对称加密算法,包括DES算法、3DES算法、TDEA算法、Blowfish算法、RC5算法或IDEA算法。Further, in step S2, a symmetric encryption algorithm is used to encrypt the keyword of the SQL statement, including DES algorithm, 3DES algorithm, TDEA algorithm, Blowfish algorithm, RC5 algorithm or IDEA algorithm.

进一步的,步骤S3中,代理服务对SQL注入具体的检测程如下:Further, in step S3, the specific detection procedure of the proxy service for SQL injection is as follows:

1)SQL代理服务器接收到加密的SQL语句S1后,对该语句进行解密生成S2 1 ) After the SQL proxy server receives the encrypted SQL statement S1, the statement is decrypted to generate S2 ;

2)对S1和S2分别进行词法解析和语法解析,生成相应的抽象语法树T1和T2 2 ) Carry out lexical analysis and grammatical analysis respectively to S1 and S2, generate corresponding abstract syntax tree T1 and T2 ;

3)若生成语法树T2失败,则说明SQL可能因为注入造成解密后语法错误,则可以直接判定为SQL注入;若生成语法树T2成功,则对比语法树T1和T2是否完全一致,若不一致,则判定为存在SQL注入;3) If the syntax tree T 2 fails to be generated, it means that the SQL may cause syntax errors after decryption due to injection, and it can be directly judged as SQL injection; if the syntax tree T 2 is generated successfully, then compare whether the syntax trees T 1 and T 2 are completely consistent , if inconsistent, it is determined that there is SQL injection;

4)如果存在SQL注入,则向应用程序代理返回错误信息。4) If there is SQL injection, an error message is returned to the application agent.

进一步的,词法解析和语法解析采用ANTLR4。Further, lexical analysis and grammar analysis use ANTLR4.

与现有技术相比,本发明所达到的有益效果是:在本发明中,即使用户输入的内容包含SQL注入的内容,但由于所有关键字已经被加密变换,在代理服务上可识别加密后的关键字,并可以正确进行语法分析并产生结果;对关键字解密后的SQL语句再进行语法分析时,如果有SQL注入,必然会造成语法树不相同,本发明利用正常SQL语句与注入后的SQL语句语法树发生变化这个特性可准确的对SQL注入进行检测。Compared with the prior art, the beneficial effect achieved by the present invention is: in the present invention, even if the content input by the user contains the content of SQL injection, since all keywords have been encrypted and transformed, the encrypted key can be identified on the proxy service. keyword, and can correctly perform grammatical analysis and generate results; when grammatical analysis is performed on the SQL statement after keyword decryption, if there is SQL injection, the syntax tree will inevitably be different. The present invention utilizes the normal SQL statement and the injected This feature can accurately detect SQL injection if the syntax tree of the SQL statement changes.

附图说明Description of drawings

图1为本发明方法的框架示意图;Fig. 1 is the framework schematic diagram of the method of the present invention;

图2是本发明检测SQL注入方法的流程图。Fig. 2 is a flow chart of the method for detecting SQL injection in the present invention.

具体实施方式detailed description

下面结合附图对本发明作进一步描述。以下实施例仅用于更加清楚地说明本发明的技术方案,而不能以此来限制本发明的保护范围。The present invention will be further described below in conjunction with the accompanying drawings. The following examples are only used to illustrate the technical solution of the present invention more clearly, but not to limit the protection scope of the present invention.

如图1所示,本发明的一种防止SQL注入的方法,包括以下步骤:As shown in Figure 1, a kind of method for preventing SQL injection of the present invention comprises the following steps:

步骤S1,应用程序代理和代理服务协商生成加密秘钥。Step S1, the application agent negotiates with the agent service to generate an encryption key.

应用程序架构可以为B/S或C/S架构,应用程序侧可以是Web后台也可以是客户端。应用程序代理指运行在应用程序侧的代理程序,应用程序侧通过应用程序代理与外界进行交互。The application architecture can be B/S or C/S architecture, and the application side can be the web background or the client. The application agent refers to the agent running on the application side, and the application side interacts with the outside world through the application agent.

所述的代理服务指SQL代理服务器,用于接收应用程序的SQL请求,作为代理实现应用程序与数据库交互。The proxy service refers to a SQL proxy server, which is used to receive the SQL request of the application program, and realize the interaction between the application program and the database as a proxy.

运行的应用程序代理首先需要与代理服务器使用RSA进行秘钥协商和分发,保证双发获取相同的秘钥,并加密传输到应用程序,作为本次会话中SQL语句关键词加密秘钥。The running application agent first needs to use RSA to negotiate and distribute the secret key with the proxy server to ensure that the same secret key is obtained by both parties, and encrypted and transmitted to the application program as the encryption key for the SQL statement keyword in this session.

加密秘钥协商可用非对称加密算法实现秘钥协商,也可用相同的随机化种子生成的随机数序列作为加密和解密秘钥。Encryption key negotiation can be realized by asymmetric encryption algorithm, and the random number sequence generated by the same randomization seed can also be used as the encryption and decryption key.

步骤S2,应用程序代理利用加密密钥对SQL语句的关键字加密,与用户输入拼接成加密SQL语句发送至代理服务。In step S2, the application agent uses the encryption key to encrypt the keyword of the SQL statement, and splices it with the user input to form an encrypted SQL statement and sends it to the proxy service.

应用程序代理通过JDBC接口驱动或者直接调用SQL命令向SQL代理服务发送请求。应用程序代理利用上一步骤获得的加密密钥对SQL命令的关键字做加密变换,与用户输入拼接成加密的SQL语句并传输到SQL代理服务器上。The application agent sends a request to the SQL agent service through the JDBC interface driver or directly calls the SQL command. The application agent uses the encryption key obtained in the previous step to encrypt and transform the keywords of the SQL command, splicing it with the user input into an encrypted SQL statement and transmitting it to the SQL proxy server.

考虑到性能问题,本发明实施例中加密选用对称加密算法,包括DES算法,3DES算法,TDEA算法,Blowfish算法,RC5算法,IDEA算法等其他对称加密算法或自定义加密算法。In consideration of performance issues, symmetric encryption algorithms are selected for encryption in the embodiment of the present invention, including DES algorithm, 3DES algorithm, TDEA algorithm, Blowfish algorithm, RC5 algorithm, IDEA algorithm and other symmetric encryption algorithms or custom encryption algorithms.

步骤S3,代理服务对加密的SQL语句进行解密,并对加密的SQL语句和解密后的SQL语句同时执行词法分析和语法分析,并依据两者比较结果判定是否存在SQL注入,若结果不相同,则认为存在SQL注入风险,直接返回错误,若结果相同,则认为不存在SQL注入,将解密后的SQL语句发送到数据库执行。Step S3, the proxy service decrypts the encrypted SQL statement, and performs lexical analysis and syntax analysis on the encrypted SQL statement and the decrypted SQL statement at the same time, and determines whether there is SQL injection according to the comparison result of the two, if the results are not the same, Then it is considered that there is a risk of SQL injection, and an error is returned directly. If the results are the same, it is considered that there is no SQL injection, and the decrypted SQL statement is sent to the database for execution.

所述的判定方式是SQL代理服务同时对加密的SQL语句和解密的SQL语句,执行词法和语法分析,通过比较两次解析的结果,判定是否含有潜在的SQL注入风险,如果比较结果相同则认为SQL不存在注入危害,否则认为存在风险。The method of determination is that the SQL proxy service performs lexical and grammatical analysis on the encrypted SQL statement and the decrypted SQL statement at the same time, and by comparing the results of the two analysis, it is determined whether there is a potential SQL injection risk. If the comparison results are the same, it is considered There is no injection hazard in SQL, otherwise it is considered risky.

所述SQL注入包括使用注释符、重言式攻击、Union查询攻击、附带查询攻击等。由于上述攻击手段向正常SQL语句注入攻击内容后,与未注入的SQL语句相比会导致SQL语法分析结果发生变化,通过对比,即可检测出上述攻击行为。The SQL injection includes the use of annotations, tautology attacks, Union query attacks, incidental query attacks, and the like. After the above-mentioned attack method injects the attack content into the normal SQL statement, the SQL syntax analysis result will change compared with the non-injected SQL statement. Through comparison, the above-mentioned attack behavior can be detected.

如图2所示,此步骤中SQL代理服务对SQL注入具体的检测程如下:As shown in Figure 2, the specific detection procedure for SQL injection by the SQL proxy service in this step is as follows:

1)SQL代理服务器接收到加密的SQL语句S1后,对该语句进行解密生成S2 1 ) After the SQL proxy server receives the encrypted SQL statement S1, the statement is decrypted to generate S2 ;

2)利用现有技术如ANTLR4对S1和S2分别进行词法解析和语法解析,生成相应的抽象语法树T1和T2,其中对S1和S2的词法、语法解析的不同点在于,S2的关键字为不加密的,对S1解析时关键字是经过加密转换的;2) Use existing technologies such as ANTLR4 to perform lexical analysis and grammatical analysis on S 1 and S 2 respectively, and generate corresponding abstract syntax trees T 1 and T 2 , wherein the difference between the lexical and grammatical analysis of S 1 and S 2 is , the keywords of S 2 are unencrypted, and the keywords of S 1 are converted after encryption;

3)若生成语法树T2失败,则说明SQL可能因为注入造成解密后语法错误,所以可以直接判定为SQL注入;若生成语法树T2成功,则对比语法树T1和T2是否完全一致,若不一致,则只可能是由于SQL注入导致解密后的语句注入的内容发生了语法树的变化,最后导致语义上的差异,因此判定为存在SQL注入;3) If the syntax tree T 2 fails to be generated, it means that the SQL may cause syntax errors after decryption due to injection, so it can be directly judged as SQL injection; if the syntax tree T 2 is generated successfully, then compare whether the syntax trees T 1 and T 2 are completely consistent , if they are not consistent, it is only possible that the syntax tree of the content of the decrypted statement injection has changed due to SQL injection, which eventually leads to semantic differences, so it is determined that there is SQL injection;

4)根据判定结果,如果存在SQL注入,则向应用程序返回错误信息,若不存在SQL注入,则将解密后的SQL语句发送到数据库执行。4) According to the judgment result, if there is SQL injection, an error message is returned to the application program; if there is no SQL injection, the decrypted SQL statement is sent to the database for execution.

对关键字加密的SQL执行词法和语法分析,能够获取应用程序预期的SQL语法树,对解密后的SQL执行语法分析,能够获取经过拼接后的SQL语句表达的语法树。如果语法树相同,则说明期望表达的SQL语法树与真实表达的语法树相同,从而推断出应用程序通过期望表达的语义与SQL表达的语义相同,没有SQL注入,否则认为存在SQL注入。Perform lexical and grammatical analysis on keyword-encrypted SQL to obtain the SQL syntax tree expected by the application, and perform grammatical analysis on the decrypted SQL to obtain the syntax tree expressed by the concatenated SQL statement. If the syntax trees are the same, it means that the SQL syntax tree expected to be expressed is the same as the syntax tree actually expressed, so it can be deduced that the semantics expressed by the application are the same as the semantics expressed by SQL, and there is no SQL injection, otherwise it is considered that there is SQL injection.

步骤S4,数据库执行此SQL语句并返回执行的结果,代理服务在收到数据库返回结果后,转发给应用程序代理。Step S4, the database executes the SQL statement and returns the execution result, and the agent service forwards the result to the application agent after receiving the result returned by the database.

代理服务可以同时支持多个会话,在应用程序代理连接到代理服务时,代理服务与应用程序即建立连接,并保持该会话,存储必要的应用程序必要的信息。在代理程序检查SQL语句、发送SQL语句到数据库时,连接始终保持。代理程序在获取了数据库返回数据后,即通过已经存在的连接将结果转发给应用程序代理,进而传送至应用程序。The proxy service can support multiple sessions at the same time. When the application program proxy connects to the proxy service, the proxy service establishes a connection with the application program, keeps the session, and stores the necessary information of the application program. The connection is always maintained while the agent checks the SQL statement and sends the SQL statement to the database. After the agent obtains the data returned by the database, it forwards the result to the application agent through the existing connection, and then transmits it to the application.

以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明技术原理的前提下,还可以做出若干改进和变型,这些改进和变型也应视为本发明的保护范围。The above is only a preferred embodiment of the present invention, it should be pointed out that for those of ordinary skill in the art, without departing from the technical principle of the present invention, some improvements and modifications can also be made, these improvements and modifications It should also be regarded as the protection scope of the present invention.

Claims (6)

1. a kind of method for preventing SQL injection, it is characterized in that, comprise the following steps:
Step S1, Application Agent and agency service consult generation encryption key;
Step S2, Application Agent are encrypted using encryption key to the keyword of SQL statement, and SQL is spliced into user's input Sentence is sent to agency service;
Step S3, the SQL statement that agency service is encrypted to keyword are decrypted, and after SQL statement to encryption and decryption SQL statement performs morphological analysis and syntactic analysis generative grammar tree simultaneously, if both syntax trees of generation differ, then it is assumed that deposit In SQL injection risk;If both are identical, then it is assumed that in the absence of SQL injection, the SQL statement after decryption are sent into database and held OK;
Step S4, database perform this SQL statement and return to the result of execution, and agency service is receiving database returning result Afterwards, it is transmitted to Application Agent.
2. a kind of method for preventing SQL injection according to claim 1, it is characterized in that, in step S1, encryption key is consulted Rivest, shamir, adelman can be used to realize or be randomized the random number sequence of seed generation as encryption by the use of identical and decrypt secret Key.
3. a kind of method for preventing SQL injection according to claim 1, it is characterized in that, in step S2, to SQL statement Keyword encryption uses symmetric encipherment algorithm.
4. a kind of method for preventing SQL injection according to claim 1, it is characterized in that, symmetric encipherment algorithm is calculated for DES Method, 3DES algorithms, TDEA algorithms, Blowfish algorithms, RC5 algorithms or IDEA algorithms.
5. a kind of method for preventing SQL injection according to claim 1, it is characterized in that, in step S3, agency service pair It is as follows that SQL injection specifically detects journey:
1) SQL proxy servers receive the SQL statement S of encryption1Afterwards, generation S the sentence is decrypted2
2) to S1And S2Morphology parsing and syntax parsing are carried out respectively, generate corresponding abstract syntax tree T1And T2
If 3) generative grammar tree T2Failure, then illustrate that SQL may be because that injection causes syntax error after decryption, then can directly sentence It is set to SQL injection;If generative grammar tree T2Succeed, then contrastive grammar tree T1And T2It is whether completely the same, if inconsistent, judge SQL injection to be present;
4) if there is SQL injection, then error message is returned to Application Agent.
6. a kind of method for preventing SQL injection according to claim 5, it is characterized in that, morphology parsing and syntax parsing are adopted Use ANTLR4.
CN201710823393.XA 2017-09-13 2017-09-13 A kind of method for preventing SQL injection Pending CN107644175A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710823393.XA CN107644175A (en) 2017-09-13 2017-09-13 A kind of method for preventing SQL injection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710823393.XA CN107644175A (en) 2017-09-13 2017-09-13 A kind of method for preventing SQL injection

Publications (1)

Publication Number Publication Date
CN107644175A true CN107644175A (en) 2018-01-30

Family

ID=61111489

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710823393.XA Pending CN107644175A (en) 2017-09-13 2017-09-13 A kind of method for preventing SQL injection

Country Status (1)

Country Link
CN (1) CN107644175A (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110162974A (en) * 2019-05-28 2019-08-23 郑州昂视信息科技有限公司 Database attack defence method and system
CN110460606A (en) * 2019-08-16 2019-11-15 中国银行股份有限公司 A kind of second order SQL injection leak detection method, device and equipment
CN110647749A (en) * 2019-09-20 2020-01-03 湖南大学 Second-order SQL injection attack defense method
CN111221844A (en) * 2019-11-14 2020-06-02 广东电网有限责任公司信息中心 Web server protection method based on mimicry instruction set randomization and database proxy node
CN111552698A (en) * 2020-04-21 2020-08-18 重庆富民银行股份有限公司 SQL version control system and method for solving environmental difference
CN111984970A (en) * 2019-05-22 2020-11-24 深信服科技股份有限公司 SQL injection detection method and system, electronic equipment and storage medium
CN112115487A (en) * 2019-06-20 2020-12-22 华控清交信息科技(北京)有限公司 Data processing method and device and electronic equipment
CN113141331A (en) * 2020-01-17 2021-07-20 深信服科技股份有限公司 XSS attack detection method, device, equipment and medium
CN113660239A (en) * 2021-08-10 2021-11-16 中电积至(海南)信息技术有限公司 SQL injection prevention system based on salting and front-end WAF protection coupling
CN114443685A (en) * 2021-12-22 2022-05-06 奇安信科技集团股份有限公司 Method and device for detecting SQL injection

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102968455A (en) * 2012-10-31 2013-03-13 山东浪潮齐鲁软件产业股份有限公司 Transparent database encrypting method of application layer
CN106529327A (en) * 2016-10-08 2017-03-22 西安电子科技大学 Data access system and method oriented to encryption database under hybrid cloud environment
CN106817219A (en) * 2015-12-01 2017-06-09 阿里巴巴集团控股有限公司 A kind of method and device of consulting session key
CN107122657A (en) * 2017-05-02 2017-09-01 上海红神信息技术有限公司 A kind of database broker device for defending SQL injection to attack

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102968455A (en) * 2012-10-31 2013-03-13 山东浪潮齐鲁软件产业股份有限公司 Transparent database encrypting method of application layer
CN106817219A (en) * 2015-12-01 2017-06-09 阿里巴巴集团控股有限公司 A kind of method and device of consulting session key
CN106529327A (en) * 2016-10-08 2017-03-22 西安电子科技大学 Data access system and method oriented to encryption database under hybrid cloud environment
CN107122657A (en) * 2017-05-02 2017-09-01 上海红神信息技术有限公司 A kind of database broker device for defending SQL injection to attack

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘苇,等: "基于操作系统增强的WEB系统安全防护技术", 《电力信息与通信技术》 *

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111984970B (en) * 2019-05-22 2023-11-07 深信服科技股份有限公司 SQL injection detection method and system, electronic equipment and storage medium
CN111984970A (en) * 2019-05-22 2020-11-24 深信服科技股份有限公司 SQL injection detection method and system, electronic equipment and storage medium
CN110162974A (en) * 2019-05-28 2019-08-23 郑州昂视信息科技有限公司 Database attack defence method and system
CN110162974B (en) * 2019-05-28 2021-03-30 郑州昂视信息科技有限公司 Database attack defense method and system
CN112115487A (en) * 2019-06-20 2020-12-22 华控清交信息科技(北京)有限公司 Data processing method and device and electronic equipment
CN112115487B (en) * 2019-06-20 2024-05-31 华控清交信息科技(北京)有限公司 Data processing method and device and electronic equipment
CN110460606B (en) * 2019-08-16 2021-10-12 中国银行股份有限公司 Second-order SQL injection vulnerability detection method, device and equipment
CN110460606A (en) * 2019-08-16 2019-11-15 中国银行股份有限公司 A kind of second order SQL injection leak detection method, device and equipment
CN110647749A (en) * 2019-09-20 2020-01-03 湖南大学 Second-order SQL injection attack defense method
CN111221844A (en) * 2019-11-14 2020-06-02 广东电网有限责任公司信息中心 Web server protection method based on mimicry instruction set randomization and database proxy node
CN111221844B (en) * 2019-11-14 2023-10-03 广东电网有限责任公司信息中心 Web server protection method based on mimicry instruction set randomization and database proxy node
CN113141331A (en) * 2020-01-17 2021-07-20 深信服科技股份有限公司 XSS attack detection method, device, equipment and medium
CN111552698A (en) * 2020-04-21 2020-08-18 重庆富民银行股份有限公司 SQL version control system and method for solving environmental difference
CN113660239A (en) * 2021-08-10 2021-11-16 中电积至(海南)信息技术有限公司 SQL injection prevention system based on salting and front-end WAF protection coupling
CN114443685A (en) * 2021-12-22 2022-05-06 奇安信科技集团股份有限公司 Method and device for detecting SQL injection

Similar Documents

Publication Publication Date Title
CN107644175A (en) A kind of method for preventing SQL injection
Puttaswamy et al. Silverline: toward data confidentiality in storage-intensive cloud applications
Basin et al. OFMC: A symbolic model checker for security protocols
Bhargavan et al. Verified interoperable implementations of security protocols
Gordon et al. Authenticity by typing for security protocols
Bhargavan et al. Modular verification of security protocol code by typing
Blanchet Automatic verification of correspondences for security protocols
Jang et al. Detecting SQL injection attacks using query result size
CN104063788B (en) Mobile platform credibility payment system and method
US20130124866A1 (en) Client-server system with security for untrusted server
Elnikety et al. Thoth: Comprehensive policy compliance in data retrieval systems
CN109241484A (en) A kind of sending method and equipment of the web data based on encryption technology
CN105528556A (en) Hybrid SQLite3 safety access method
Oqaily et al. SegGuard: segmentation-based anonymization of network data in clouds for privacy-preserving security auditing
Zhu et al. Full Encryption: An end to end encryption mechanism in GaussDB
Brackin An interface specification language for automatically analyzing cryptographic protocols
Delaune et al. A decision procedure for the verification of security protocols with explicit destructors
Temeiza et al. A novel method for preventing SQL injection using SHA-1 algorithm and syntax-awareness
Chaudhry et al. Security assessment of data management systems for cyber physical system applications
Künnemann Automated backward analysis of PKCS# 11 v2. 20
Aljawarneh et al. A semantic data validation service for web applications
Loftus et al. Android 7 file based encryption and the attacks against it
Shao et al. Formal analysis of HMAC authorisation in the TPM2. 0 specification
CN113037724B (en) Method and device for detecting illegal access
Dünki Modelling and analysis of web applications in tamarin

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180130

RJ01 Rejection of invention patent application after publication