Using parse tree validation to prevent SQL injection attacks

Joint Conference on Lexical and Computational Semantics Pub Date : 2005-09-05 DOI:10.1145/1108473.1108496

G. Buehrer, B. Weide, P. Sivilotti

{"title":"Using parse tree validation to prevent SQL injection attacks","authors":"G. Buehrer, B. Weide, P. Sivilotti","doi":"10.1145/1108473.1108496","DOIUrl":null,"url":null,"abstract":"An SQL injection attack targets interactive web applications that employ database services. Such applications accept user input, such as form fields, and then include this input in database requests, typically SQL statements. In SQL injection, the attacker provides user input that results in a different database request than was intended by the application programmer. That is, the interpretation of the user input as part of a larger SQL statement, results in an SQL statement of a different form than originally intended. We describe a technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities. The technique is based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input. Our solution is efficient, adding about 3 ms overhead to database query costs. In addition, it is easily adopted by application programmers, having the same syntactic structure as current popular record set retrieval methods. For empirical analysis, we provide a case study of our solution in J2EE. We implement our solution in a simple static Java class, and show its effectiveness and scalability.","PeriodicalId":344435,"journal":{"name":"Joint Conference on Lexical and Computational Semantics","volume":"551 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-09-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"456","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Joint Conference on Lexical and Computational Semantics","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1108473.1108496","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 456

Abstract

An SQL injection attack targets interactive web applications that employ database services. Such applications accept user input, such as form fields, and then include this input in database requests, typically SQL statements. In SQL injection, the attacker provides user input that results in a different database request than was intended by the application programmer. That is, the interpretation of the user input as part of a larger SQL statement, results in an SQL statement of a different form than originally intended. We describe a technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities. The technique is based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input. Our solution is efficient, adding about 3 ms overhead to database query costs. In addition, it is easily adopted by application programmers, having the same syntactic structure as current popular record set retrieval methods. For empirical analysis, we provide a case study of our solution in J2EE. We implement our solution in a simple static Java class, and show its effectiveness and scalability.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

使用解析树验证来防止SQL注入攻击

SQL注入攻击的目标是使用数据库服务的交互式web应用程序。这类应用程序接受用户输入，例如表单字段，然后将此输入包含在数据库请求(通常是SQL语句)中。在SQL注入中，攻击者提供的用户输入会产生与应用程序程序员所期望的不同的数据库请求。也就是说，将用户输入解释为更大的SQL语句的一部分，会导致SQL语句的形式与最初预期的不同。我们描述了一种防止此类操作的技术，从而消除了SQL注入漏洞。该技术基于在运行时将包含用户输入之前的SQL语句解析树与包含输入之后的结果进行比较。我们的解决方案是高效的，增加了大约3毫秒的数据库查询开销。此外，它很容易被应用程序程序员采用，与当前流行的记录集检索方法具有相同的语法结构。为了进行实证分析，我们提供了一个J2EE解决方案的案例研究。我们在一个简单的静态Java类中实现了我们的解决方案，并展示了它的有效性和可伸缩性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Joint Conference on Lexical and Computational Semantics

自引率

0.00%

发文量