基于SQL语法树的SQL注入过滤方法研究

doi:10.11959/j.issn.2096-109x.2016.00113

Chinese Journal of Network and Information Security ›› 2016, Vol. 2 ›› Issue (11): 70-77.doi: 10.11959/j.issn.2096-109x.2016.00113

• Papers • Previous Articles

Research on the SQL injection filtering based on SQL syntax tree

Chen-wang HAN^1,²,Hui LIN^1,²,Chuan HUANG^1,²

¹ School of Mathematics and Computer Science,Fujian Normal University,Fuzhou 350117,China
² Fujian Provincial Key Laboratory of Network Security and Cryptology,Fujian Normal University,Fuzhou 350117,China

Revised:2016-10-14 Online:2016-11-15 Published:2016-11-15
Supported by:
The National Natural Science Foundation of China(61363068);The National Natural Science Foundation of China(61472083);Pilot Project of Fujian Province(2016Y0031);Project of Fuzhou Municipal Science and Technology Bureau(2015-G-54);Project of Fuzhou Municipal Science and Technology Bureau(2015-G-84)

Abstract

Abstract:

The development of Web application make its areas become more and more widely.Followed by a security problem is becoming more and more serious,especially for the SQL injection attacks,which bring a huge challenge to the Web application security.A new SQL injection filtering method was proposed to detect SQL injection attack by introducing a security strategy based on SQL syntax tree to the design of the user input filtering.The experimental results show that the method can effectively prevent SQL injection attacks,and has higher recognition rate and lower rate of false positives.

Key words: SQL injection attack, Web security, SQL syntax tree, user input filtering

CLC Number:

TP309

Chen-wang HAN, Hui LIN, Chuan HUANG. Research on the SQL injection filtering based on SQL syntax tree[J]. Chinese Journal of Network and Information Security, 2016, 2(11): 70-77.

Figures/Tables 11

References 15

[1]	郑成兴 . 网络入侵防范的理论与实践[M]. 北京: 机械工业出版社, 2006.
	ZHENG C X . Network intrusion prevention theory and practice[M]. Beijing: China Machine PressPress, 2006.
[2]	高鹏, 严望佳 . 构建安全的 Web 站点[M]. 北京: 清华大学出版社, 1999.
	GAO P , YAN W J . Build a secure Web site[M]. Beijing: Tsinghua University PressPress, 1999.
[3]	ANLEY,Chris. Advanced SQL injection in SQL server applications[R]. An NGSSoftware Insight Security Research (NISR) Publication, 2002.
[4]	CLARKE J . SQL Injection Attacks and Defense[M]. Amsterdam: ElsevierPress, 2009.
[5]	李鑫, 张维纬, 隋子畅 ,等. 新型SQL注入及其防御技术研究与分析[J]. 信息网络安全, 2016,2: 66-73.
	LI X , ZHANG W W , SUI Z C ,et al. Research and analysis on the novel SQL injection and defense technique[J]. Netinfo Security, 2016,2: 66-73.
[6]	BECHER M . Web application firewalls[D]. Akademikerverlag:Universiti Teknologi MARA, 2012.
[7]	ROESCH M , . Snort:lightweight intrusion detection for networks[C]// The 13th Conference on Systems Administration (LISA-99),Usenix Association. 1999: 229-238.
[8]	MI-YEON K , DONG H L . Data-mining based SQL injection attack detection using internal query trees[J]. Expert Systems with Applications, 2014(41): 5416-5430.
[9]	石聪聪, 张涛, 余勇 ,等. 一种新的SQL注入防护方法的研究与实现[J]. 计算机科学, 2012,(S1): 60-64.
	SHI C C , ZHANG T , YU Y , LIN W M . New approach for SQL-injection detection[J]. Computer Science, 2012,(S1): 60-64.
[10]	成晓利 . Web 应用程序SQL 注入攻击漏洞测试系统的研究与实现[D]. 成都:西南交通大学, 2013.
	CHENG X L . Research and implementation of Web application SQL injection vulnerability detection system[D]. Chengdu:Southwest Jiaotong University, 2013.
[11]	褚龙现 . ASP.NET 应用中SQL注入攻击的分析与防范[J]. 计算机与现代化, 2014,(3): 151-153,160.
	CHU L X . Analysis and defense of SQL injection attacks in ASP.NET application[J]. Computer and Modernization, 2014,(3): 151-153,160.
[12]	WEI K , MUTHUPRASANNA M , KOTHARI S . Preventing SQL injection attacks in stored procedures[C]// IEEE Conference on Piscataway,Software Engineering. 2006: 191-198.
[13]	黄龙军 . 存储过程技术在网络考试系统SQL 注入攻击防御上的应用[J]. 计算机系统应用, 2013,22(1): 103-106.
	HUANG L J . Application of stored procedures to defense against SQL injection attacks in online examination system[J]. Computer Systems ＆ Applications, 2013,22(1): 103-106.
[14]	杨玉龙, 彭长根, 周洲 . 基于同态加密的防止 SQL 注入攻击解决方案[J]. 信息网络安全, 2014,(1): 30-33.
	YANG Y L , PENG C G , ZHOU Z . A solution of preventing SQL injection attacks based on homomorphic encryption[J]. Netinfo Security, 2014,(1): 30-33.
[15]	赵宇飞, 熊刚, 贺龙涛 ,等. 面向网络环境的SQL注入行为检测方法[J]. 通信学报, 2016,02: 88-97.
	ZHAO Y F , XIONG G , HE L T ,et al. Approach to detecting SQL injection behaviors in network environment[J]. Journal on Communications, 2016,02: 88-97.

Metrics

Recommended 0

No Suggested Reading articles found!

测试技术	拦截率	误报率
基于关键字过滤	73%	20%
基于正则表达式过滤	84%	12%
基于SQL语法树过滤	88%	8%

测试内容	未加载过滤模块	加载过滤模块
不含攻击关键字的正常访问	31.04 ms	40.18 ms
含有攻击关键字的正常访问	37.69 ms	71.53 ms
SQL注入攻击	41.30 ms	52.13 ms

Research on the SQL injection filtering based on SQL syntax tree

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 15

Related Articles 1

Metrics

Recommended 0