• 中国计算机学会会刊
  • 中国科技核心期刊
  • 中文核心期刊

J4 ›› 2013, Vol. 35 ›› Issue (2): 68-73.

• 论文 • 上一篇    下一篇

一种防SQL注入的静态分析方法

秦广赞,郭帆,徐芳,余敏   

  1. (江西师范大学计算机信息工程学院,江西 南昌 330022)
  • 收稿日期:2011-12-23 修回日期:2012-04-17 出版日期:2013-02-25 发布日期:2013-02-25
  • 基金资助:

    科技部国际合作项目(2010DFA70990)

A static analysis method of antiSQL injection attack

QIN  Guangzan,GUO Fan,XU Fang,YU Min   

  1. (School of Computer Information and Engineering,Jiangxi Normal University,Nanchang 330022,China)
  • Received:2011-12-23 Revised:2012-04-17 Online:2013-02-25 Published:2013-02-25

摘要:

提出了一种基于静态分析的SQL注入攻击的检测方法。静态分析Web应用程序的源文件,提取污染源到执行参数的构造路径,形成检测规则。动态执行时替换规则中的输入参数为用户输入值,比较得到的SQL语句和原SQL语句在语义和结构上的异同,判断是否存在SQL注入攻击。实验结果表明,该方法有效可行,增加了过滤模块后对系统的性能影响不大。

 

关键词: SQL注入, 静态分析, 构造路径, 检测规则, Web应用程序

Abstract:

This paper proposes a detection method of SQL injection attack based on static analysis. It statically analyzes the source pages of Web application, extracts taint to execution parameters’ constructed path and forms detection rules. The input parameters in rules are replaced by user input values during dynamic enforcement. By comparing the resulting SQL statements with the original SQL statements in the semantic and structural similarities and discrepancies, the method will determine whether SQL injection attack exists in the Web application. Experiments results show its effectiveness and feasibility since it has little effect on system performance after increasing the filtering module.

Key words: SQL injection;static analysis;construct path;detection rule;Web application