Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method and system for SQL injection and defense

An application system and grammar technology, applied in transmission systems, electrical components, etc., can solve the problems of misjudging keywords, cumbersome, low efficiency, etc., to prevent SQL injection and improve security.

Active Publication Date: 2013-10-02
BEIJING 58 INFORMATION TECH
View PDF6 Cites 26 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

One is the problem of missed judgment of keywords. According to the flexibility of SQL statements, experienced attackers can easily bypass the preset keywords on the server side to attack, which reduces the accuracy of SQL injection detection.
The second is the problem of misjudging keywords
This method is based on known safe SQL, but is limited by the integrity of SQL. Its disadvantage is that not only "sufficient" SQL is required for the system to learn the known SQL syntax tree, but how to define "sufficient" is difficult
If a large amount of learning is required to achieve the so-called "sufficient" standard, the learning cost and execution efficiency will be seriously affected
In addition, the knowledge base method cannot exhaustively enumerate all SQL syntax trees, so false positives cannot be avoided
At present, the occurrence of false positives can only be reduced by continuously updating the legal SQL statement knowledge base, which is very cumbersome and inefficient

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method and system for SQL injection and defense
  • Method and system for SQL injection and defense
  • Method and system for SQL injection and defense

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0023] The objects and functions of the present invention and methods for achieving the objects and functions will be clarified by referring to the exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below; it can be implemented in various forms. The essence of the description is only to help those skilled in the relevant art comprehensively understand the specific details of the present invention.

[0024] Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In the drawings, the same reference numerals represent the same or similar components, or the same or similar steps.

[0025] According to the method and system of SQL injection defense of the present invention, before the SQL statement accesses the database, a database proxy server providing database query is set, and the database proxy server passes through the client / server (C / S), browser / server (B / S) ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides an SQL injection and defense method aiming at a data base, which comprises the following steps: (a), receiving SQL statements accessing a data base and sent out by an application system; (b), performing the injection judging and checking to the SQL statements; if the SQL statements are SQL injection, intercepting the SQL injection, recording the mistake, and returning the abnormal information to the application system; if the SQL statements are not the SQL injection, querying an operational interface specification of the corresponding data base required to be accessed by the SQL statements, and splicing SQL statements conform to the data base operational interface specification; (c), sending the specified SQL statements spliced in the step (b) to a corresponding data base to perform data base operation; (d), returning the queried result to the application system. According to the invention, a data base agent server is arranged as per the method provided by the invention, an operation and maintenance method is used for rejecting access permission of any other application system except the data base agent server to the data base, thereby preventing the SQL injection.

Description

technical field [0001] The invention relates to the field of computer network information security protection, in particular to an improved SQL injection defense method and system. Background technique [0002] With the popularity of Web applications and browser / server (B / S) mode applications, the security issues of Web applications are also increasingly concerned. SQL injection attack is the most common web application attack technique, and the security damage caused by SQL injection attack is also irreparable. The so-called SQL injection attack is that the attacker inserts SQL commands into the input field of the Web form or the query string of the page request to trick the server into executing malicious SQL commands. In some forms, the content entered by users is directly used to construct or affect dynamic SQL commands, or as input parameters of stored procedures. Such forms are particularly vulnerable to SQL injection attacks. [0003] SQL injection can be divided in...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06
Inventor 王志强
Owner BEIJING 58 INFORMATION TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com