CN107644175A - A kind of method for preventing SQL injection - Google Patents
A kind of method for preventing SQL injection Download PDFInfo
- Publication number
- CN107644175A CN107644175A CN201710823393.XA CN201710823393A CN107644175A CN 107644175 A CN107644175 A CN 107644175A CN 201710823393 A CN201710823393 A CN 201710823393A CN 107644175 A CN107644175 A CN 107644175A
- Authority
- CN
- China
- Prior art keywords
- sql
- sql statement
- injection
- sql injection
- statement
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of method for preventing SQL injection, including:1, Application Agent and agency service consult generation encryption key;2, Application Agent is encrypted using encryption key to the keyword of SQL statement, and being spliced into SQL statement with user's input sends to agency service;3, the SQL statement that agency service is encrypted to keyword is decrypted, and the SQL statement after SQL statement to encryption and decryption performs morphological analysis and syntactic analysis generative grammar tree simultaneously, if syntax trees that both generate differ, then it is assumed that SQL injection risk be present;If both are identical, then it is assumed that in the absence of SQL injection, the SQL statement after decryption are sent into database and performed.The present invention can be detected accurately using normal SQL statement and SQL statement syntax tree this characteristic that changes after injecting to SQL injection.
Description
Technical field
The present invention relates to field of information security technology, and in particular to a kind of method for preventing SQL injection.
Background technology
SQL (Structured Query Language) is a kind of SQL for database, SQL languages
Fado is based on ansi standard SQL92.One SQL statement, which can perform one query request or perform an additions and deletions to database, changes behaviour
Make.A large amount of websites in Web2.0 epoch are all based on the access and preservation that SQL carries out data, all do not have wherein substantial amounts of code be present
Have to input user in application side and carry out enough safety inspections, these are may included in SQL statement without safety inspection
The hostile content of malice input, the injection of Server variables and the Cookie injections of user, such as SQL some malice character strings
Deng.These users input is spliced into as legal SQL statement and performed on the server so as to cause database in user side
Middle sensitive data leakage, database data are lost.This will cause website, database and data to all suffer from huge security risk.Cause
This defence SQL injection turns into the particularly important safe task of ISP.
SQL injection is generally divided into:(1) block normal queries sentence using annotation symbol (-- ##) or verified around SQL;(2)
Tautology is attacked:Sentence is injected in SQL where conditions, makes condition logically true, data are extracted around checking;(3) it is illegal to patrol
Malformed queries are collected, obtain the information of database, are prepared for attack in next step;(4) Union inquiries attack, by SQL keywords
Union bypasses the checking of database, steals data;(5) incidentally inquiry attack be when database allows to perform a plurality of sentence,
Any SQL statement is performed in normal SQL statement, reaches attack purpose;(6) it is that construction performs storage using storing process attack
The order of process reaches the purpose of attack;(7) infer be then after DBA's safety colour is knitted, illegal logic error
Inquiry can not obtain enough information, but use estimating method, construct inquiry request, the response contents returned according to database,
Infer the parameter that can be injected;(8) encode substitution attack and the text of injection is replaced into coding, escape detection;(9) second order injects first
It will attack that coding used is legal to be deposited into database, then the legal attack field that reads is launched a offensive in database.
The detection method of SQL injection generally includes the SQL statement of white list, black list techniques i.e. only in white list
It can be performed, SQL/IP/ keywords on the blacklist can not perform;Feature detection techniques think that the SQL statement of injection is usual
Annotation symbol, keyword comprising a plurality of sentence or comprising SQL etc. are included with certain feature, such as user's input, based on accumulation
Security feature carry out SQL injection inspection.The apparent above method has some limitations:The result of feature based detection is then
Depending on the characteristic set to injection attacks whether comprehensively, accurately;Then strictly limitation user can make for white list or black list techniques
SQL statement must be in specified SQL statement set, and flexibility is restricted.
The content of the invention
It is an object of the invention to overcome deficiency of the prior art, there is provided a kind of method for preventing SQL injection, realize
The efficient detection of SQL injection.
In order to solve the above technical problems, the invention provides a kind of method for preventing SQL injection, it is characterized in that, including with
Lower step:
Step S1, Application Agent and agency service consult generation encryption key;
Step S2, Application Agent are encrypted to the keyword of SQL statement using encryption key, are spliced into user's input
SQL statement is sent to agency service;
Step S3, the SQL statement that agency service is encrypted to keyword are decrypted, and the SQL statement to encryption and decryption
SQL statement afterwards performs morphological analysis and syntactic analysis generative grammar tree simultaneously, if both syntax trees of generation differ, recognizes
SQL injection risk to be present;If both are identical, then it is assumed that in the absence of SQL injection, the SQL statement after decryption is sent into data
Storehouse performs;
Step S4, database perform this SQL statement and return to the result of execution, and agency service is receiving database return knot
After fruit, Application Agent is transmitted to.
Further, in step S1, encryption key consults that rivest, shamir, adelman realization or random with identical can be used
Change the random number sequence of seed generation as encryption and decryption key.
Further, in step S2, symmetric encipherment algorithm is used to the encryption of the keyword of SQL statement, including DES algorithms,
3DES algorithms, TDEA algorithms, Blowfish algorithms, RC5 algorithms or IDEA algorithms.
Further, in step S3, agency service detection journey specific to SQL injection is as follows:
1) SQL proxy servers receive the SQL statement S of encryption1Afterwards, generation S the sentence is decrypted2;
2) to S1And S2Morphology parsing and syntax parsing are carried out respectively, generate corresponding abstract syntax tree T1And T2;
If 3) generative grammar tree T2Failure, then illustrate that SQL may be because that injection causes syntax error after decryption, then can be straight
Connect and be determined as SQL injection;If generative grammar tree T2Succeed, then contrastive grammar tree T1And T2It is whether completely the same, if inconsistent,
It is determined to have SQL injection;
4) if there is SQL injection, then error message is returned to Application Agent.
Further, morphology parsing and syntax parsing use ANTLR4.
Compared with prior art, the beneficial effect that is reached of the present invention is:In the present invention, even if the content of user's input
Content comprising SQL injection, but because all keywords are already encrypted to convert, the pass after encryption is can recognize that in agency service
Key word, and can correctly carry out syntactic analysis and produce result;SQL statement after being decrypted to keyword carries out syntactic analysis again
When, if SQL injection, syntax tree will necessarily be caused to differ, the present invention utilizes normal SQL statement and the SQL languages after injection
Sentence grammar tree this characteristic that changes can be detected accurately to SQL injection.
Brief description of the drawings
Fig. 1 is the block schematic illustration of the inventive method;
Fig. 2 is the flow chart of present invention detection SQL injection method.
Embodiment
The invention will be further described below in conjunction with the accompanying drawings.Following examples are only used for clearly illustrating the present invention
Technical scheme, and can not be limited the scope of the invention with this.
As shown in figure 1, a kind of method for preventing SQL injection of the present invention, comprises the following steps:
Step S1, Application Agent and agency service consult generation encryption key.
Application architecture can be B/S or C/S frameworks, and application program side can be that Web backstages can also be client.
Application Agent refers to the Agent for operating in application program side, and application program side is carried out by Application Agent with extraneous
Interaction.
Described agency service refers to SQL proxy servers, for receiving the SQL request of application program, is realized as agency
Application program interacts with database.
The Application Agent of operation carries out key negotiation and distribution firstly the need of with proxy server using RSA, ensures
Double hairs obtain identical key, and encrypted transmission encrypts key to application program as SQL statement keyword in this session.
Encryption key consults to realize that key is consulted with rivest, shamir, adelman, it is also possible to identical randomization seed generation
Random number sequence as encrypt and decryption key.
Step S2, Application Agent are encrypted to the keyword of SQL statement using encryption key, are spliced into user's input
Encryption SQL statement is sent to agency service.
Application Agent is by JDBC interface drivers or directly invokes sql command to the transmission request of SQL agency services.
Application Agent does enciphering transformation using the encryption key that previous step obtains to the keyword of sql command, is inputted with user
It is spliced into the SQL statement of encryption and is transferred on SQL proxy servers.
Encrypted in view of performance issue, in the embodiment of the present invention and select symmetric encipherment algorithm, including DES algorithms, 3DES is calculated
Other symmetric encipherment algorithms or the user-defined encrypted algorithms such as method, TDEA algorithms, Blowfish algorithms, RC5 algorithms, IDEA algorithms.
The SQL statement of encryption is decrypted for step S3, agency service, and the SQL after SQL statement to encryption and decryption
Sentence performs morphological analysis and syntactic analysis simultaneously, and determines whether SQL injection be present according to both comparative results, if result is not
It is identical, then it is assumed that SQL injection risk to be present, directly return to mistake, if result is identical, then it is assumed that in the absence of SQL injection, will to decrypt
SQL statement afterwards is sent to database execution.
Described decision procedure is the SQL statement of SQL statement and decryption of the SQL agency services simultaneously to encryption, performs word
Method and syntactic analysis, by the result parsed more twice, determine whether containing potential SQL injection risk, if comparing knot
Fruit is identical, thinks that SQL is not present injection and endangered, otherwise it is assumed that risk be present.
The SQL injection is including the use of annotation symbol, tautology attack, Union inquiries attack, subsidiary inquiry attack etc..By
In above-mentioned attack meanses to after normal SQL statement injection attacks content, SQL syntax can be caused compared with unimplanted SQL statement
Analysis result changes, and passes through contrast, you can detects above-mentioned attack.
As shown in Fig. 2 SQL agency services detection journey specific to SQL injection is as follows in this step:
1) SQL proxy servers receive the SQL statement S of encryption1Afterwards, generation S the sentence is decrypted2;
2) using prior art such as ANTLR4 to S1And S2Morphology parsing and syntax parsing are carried out respectively, and generation is taken out accordingly
As syntax tree T1And T2, wherein to S1And S2Morphology, the difference of syntax parsing be, S2Keyword do not encrypt, it is right
S1Keyword is changed by encryption during parsing;
If 3) generative grammar tree T2Failure, then illustrate that SQL may be because that injection causes syntax error after decryption, it is possible to
Directly it is determined as SQL injection;If generative grammar tree T2Succeed, then contrastive grammar tree T1And T2It is whether completely the same, if inconsistent,
Then it is only possible to be due to that SQL injection causes the content of the sentence injection after decryption to finally result in language there occurs the change of syntax tree
Difference in justice, therefore, it is determined that SQL injection to be present;
4) according to result of determination, if there is SQL injection, then error message is returned to application program, if being noted in the absence of SQL
Enter, then the SQL statement after decryption is sent into database performs.
Morphology and syntactic analysis are performed to the SQL of keyword encryption, SQL syntax tree expected from application program can be obtained,
Syntactic analysis is performed to the SQL after decryption, the syntax tree expressed by spliced SQL statement can be obtained.If syntax tree
Identical, then explanation it is expected that the SQL syntax tree of expression is identical with the syntax tree of truly expressed, passes through the phase so as to be inferred to application program
Hope that the semanteme of expression is identical with the semanteme of SQL expression, without SQL injection, otherwise it is assumed that SQL injection be present.
Step S4, database perform this SQL statement and return to the result of execution, and agency service is receiving database return knot
After fruit, Application Agent is transmitted to.
Agency service can support multiple sessions simultaneously, when Application Agent is connected to agency service, agency service
Connection is established with application program, and keeps the session, stores the necessary information of necessary application program.In Agent inspection
When SQL statement, transmission SQL statement are to database, connection remains.Agent after database returned data is obtained,
Application Agent is forwarded the result to by existing connection, and then is sent to application program.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, without departing from the technical principles of the invention, some improvement and modification can also be made, these improvement and modification
Also it should be regarded as protection scope of the present invention.
Claims (6)
1. a kind of method for preventing SQL injection, it is characterized in that, comprise the following steps:
Step S1, Application Agent and agency service consult generation encryption key;
Step S2, Application Agent are encrypted using encryption key to the keyword of SQL statement, and SQL is spliced into user's input
Sentence is sent to agency service;
Step S3, the SQL statement that agency service is encrypted to keyword are decrypted, and after SQL statement to encryption and decryption
SQL statement performs morphological analysis and syntactic analysis generative grammar tree simultaneously, if both syntax trees of generation differ, then it is assumed that deposit
In SQL injection risk;If both are identical, then it is assumed that in the absence of SQL injection, the SQL statement after decryption are sent into database and held
OK;
Step S4, database perform this SQL statement and return to the result of execution, and agency service is receiving database returning result
Afterwards, it is transmitted to Application Agent.
2. a kind of method for preventing SQL injection according to claim 1, it is characterized in that, in step S1, encryption key is consulted
Rivest, shamir, adelman can be used to realize or be randomized the random number sequence of seed generation as encryption by the use of identical and decrypt secret
Key.
3. a kind of method for preventing SQL injection according to claim 1, it is characterized in that, in step S2, to SQL statement
Keyword encryption uses symmetric encipherment algorithm.
4. a kind of method for preventing SQL injection according to claim 1, it is characterized in that, symmetric encipherment algorithm is calculated for DES
Method, 3DES algorithms, TDEA algorithms, Blowfish algorithms, RC5 algorithms or IDEA algorithms.
5. a kind of method for preventing SQL injection according to claim 1, it is characterized in that, in step S3, agency service pair
It is as follows that SQL injection specifically detects journey:
1) SQL proxy servers receive the SQL statement S of encryption1Afterwards, generation S the sentence is decrypted2;
2) to S1And S2Morphology parsing and syntax parsing are carried out respectively, generate corresponding abstract syntax tree T1And T2;
If 3) generative grammar tree T2Failure, then illustrate that SQL may be because that injection causes syntax error after decryption, then can directly sentence
It is set to SQL injection;If generative grammar tree T2Succeed, then contrastive grammar tree T1And T2It is whether completely the same, if inconsistent, judge
SQL injection to be present;
4) if there is SQL injection, then error message is returned to Application Agent.
6. a kind of method for preventing SQL injection according to claim 5, it is characterized in that, morphology parsing and syntax parsing are adopted
Use ANTLR4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710823393.XA CN107644175A (en) | 2017-09-13 | 2017-09-13 | A kind of method for preventing SQL injection |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710823393.XA CN107644175A (en) | 2017-09-13 | 2017-09-13 | A kind of method for preventing SQL injection |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107644175A true CN107644175A (en) | 2018-01-30 |
Family
ID=61111489
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710823393.XA Pending CN107644175A (en) | 2017-09-13 | 2017-09-13 | A kind of method for preventing SQL injection |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107644175A (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110162974A (en) * | 2019-05-28 | 2019-08-23 | 郑州昂视信息科技有限公司 | Database attack defence method and system |
| CN110460606A (en) * | 2019-08-16 | 2019-11-15 | 中国银行股份有限公司 | A kind of second order SQL injection leak detection method, device and equipment |
| CN110647749A (en) * | 2019-09-20 | 2020-01-03 | 湖南大学 | Second-order SQL injection attack defense method |
| CN111221844A (en) * | 2019-11-14 | 2020-06-02 | 广东电网有限责任公司信息中心 | Web server protection method based on mimicry instruction set randomization and database proxy node |
| CN111552698A (en) * | 2020-04-21 | 2020-08-18 | 重庆富民银行股份有限公司 | SQL version control system and method for solving environmental difference |
| CN111984970A (en) * | 2019-05-22 | 2020-11-24 | 深信服科技股份有限公司 | SQL injection detection method and system, electronic equipment and storage medium |
| CN112115487A (en) * | 2019-06-20 | 2020-12-22 | 华控清交信息科技(北京)有限公司 | Data processing method and device and electronic equipment |
| CN113141331A (en) * | 2020-01-17 | 2021-07-20 | 深信服科技股份有限公司 | XSS attack detection method, device, equipment and medium |
| CN113660239A (en) * | 2021-08-10 | 2021-11-16 | 中电积至(海南)信息技术有限公司 | SQL injection prevention system based on salting and front-end WAF protection coupling |
| CN114443685A (en) * | 2021-12-22 | 2022-05-06 | 奇安信科技集团股份有限公司 | SQL injection detection method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102968455A (en) * | 2012-10-31 | 2013-03-13 | 山东浪潮齐鲁软件产业股份有限公司 | Transparent database encrypting method of application layer |
| CN106529327A (en) * | 2016-10-08 | 2017-03-22 | 西安电子科技大学 | Data access system and method oriented to encryption database under hybrid cloud environment |
| CN106817219A (en) * | 2015-12-01 | 2017-06-09 | 阿里巴巴集团控股有限公司 | A kind of method and device of consulting session key |
| CN107122657A (en) * | 2017-05-02 | 2017-09-01 | 上海红神信息技术有限公司 | A kind of database broker device for defending SQL injection to attack |
-
2017
- 2017-09-13 CN CN201710823393.XA patent/CN107644175A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102968455A (en) * | 2012-10-31 | 2013-03-13 | 山东浪潮齐鲁软件产业股份有限公司 | Transparent database encrypting method of application layer |
| CN106817219A (en) * | 2015-12-01 | 2017-06-09 | 阿里巴巴集团控股有限公司 | A kind of method and device of consulting session key |
| CN106529327A (en) * | 2016-10-08 | 2017-03-22 | 西安电子科技大学 | Data access system and method oriented to encryption database under hybrid cloud environment |
| CN107122657A (en) * | 2017-05-02 | 2017-09-01 | 上海红神信息技术有限公司 | A kind of database broker device for defending SQL injection to attack |
Non-Patent Citations (1)
| Title |
|---|
| 刘苇,等: "基于操作系统增强的WEB系统安全防护技术", 《电力信息与通信技术》 * |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111984970B (en) * | 2019-05-22 | 2023-11-07 | 深信服科技股份有限公司 | SQL injection detection method and system, electronic equipment and storage medium |
| CN111984970A (en) * | 2019-05-22 | 2020-11-24 | 深信服科技股份有限公司 | SQL injection detection method and system, electronic equipment and storage medium |
| CN110162974A (en) * | 2019-05-28 | 2019-08-23 | 郑州昂视信息科技有限公司 | Database attack defence method and system |
| CN110162974B (en) * | 2019-05-28 | 2021-03-30 | 郑州昂视信息科技有限公司 | Database attack defense method and system |
| CN112115487A (en) * | 2019-06-20 | 2020-12-22 | 华控清交信息科技(北京)有限公司 | Data processing method and device and electronic equipment |
| CN112115487B (en) * | 2019-06-20 | 2024-05-31 | 华控清交信息科技(北京)有限公司 | Data processing method and device and electronic equipment |
| CN110460606B (en) * | 2019-08-16 | 2021-10-12 | 中国银行股份有限公司 | Second-order SQL injection vulnerability detection method, device and equipment |
| CN110460606A (en) * | 2019-08-16 | 2019-11-15 | 中国银行股份有限公司 | A kind of second order SQL injection leak detection method, device and equipment |
| CN110647749A (en) * | 2019-09-20 | 2020-01-03 | 湖南大学 | Second-order SQL injection attack defense method |
| CN111221844A (en) * | 2019-11-14 | 2020-06-02 | 广东电网有限责任公司信息中心 | Web server protection method based on mimicry instruction set randomization and database proxy node |
| CN111221844B (en) * | 2019-11-14 | 2023-10-03 | 广东电网有限责任公司信息中心 | Web server protection method based on mimicry instruction set randomization and database proxy node |
| CN113141331A (en) * | 2020-01-17 | 2021-07-20 | 深信服科技股份有限公司 | XSS attack detection method, device, equipment and medium |
| CN111552698A (en) * | 2020-04-21 | 2020-08-18 | 重庆富民银行股份有限公司 | SQL version control system and method for solving environmental difference |
| CN113660239A (en) * | 2021-08-10 | 2021-11-16 | 中电积至(海南)信息技术有限公司 | SQL injection prevention system based on salting and front-end WAF protection coupling |
| CN114443685A (en) * | 2021-12-22 | 2022-05-06 | 奇安信科技集团股份有限公司 | SQL injection detection method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107644175A (en) | A kind of method for preventing SQL injection | |
| CN110881044B (en) | Computer firewall dynamic defense security platform | |
| Bella et al. | Kerberos version IV: Inductive analysis of the secrecy goals | |
| US11398900B2 (en) | Cloud based key management | |
| CN108270739B (en) | Method and device for managing encryption information | |
| US8607041B2 (en) | Perimeter encryption method and system | |
| CN104811438A (en) | Asynchronous hotlink protection method and system based on scheduling system | |
| Pattewar et al. | Detection of SQL injection using machine learning: a survey | |
| Khan et al. | SSM: Secure-Split-Merge data distribution in cloud infrastructure | |
| Oqaily et al. | SegGuard: segmentation-based anonymization of network data in clouds for privacy-preserving security auditing | |
| CN109862009A (en) | A kind of client identity method of calibration and device | |
| CN113037719A (en) | Security interface gateway system based on return access address | |
| EP3167399B1 (en) | Method for providing encrypted information and encrypting entity | |
| Butler | On the use of data refinement in the development of secure communications systems | |
| Patel et al. | Attacks on web services and mitigation schemes | |
| Chaudhry et al. | Security assessment of data management systems for cyber physical system applications | |
| KR100803357B1 (en) | Method and apparatus for enhancing the security of database | |
| KR101214502B1 (en) | Apparatus for data security | |
| Saleh et al. | SignedQuery: Protecting users data in multi-tenant SaaS environments | |
| Linvill et al. | Verifying Indistinguishability of Privacy-Preserving Protocols | |
| Raj et al. | An SQL injection defensive mechanism using reverse insertion technique | |
| KR101440751B1 (en) | Apparatus and method for database encryption | |
| CN107370596A (en) | A kind of user cipher encrypted transmission method, system and storage medium | |
| Delaune et al. | Decision procedures for the security of protocols with probabilistic encryption against offline dictionary attacks | |
| CN111711836B (en) | Data transmission method, device, terminal equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180130 |