信息网络安全

信息网络安全 ›› 2014, Vol. 15 ›› Issue (11): 70-73.doi: 10.3969/j.issn.1671-1122.2014.11.012

• • 上一篇    

二阶SQL注入攻击防御模型

田玉杰(), 赵泽茂, 张海川, 李学双   

  1. 杭州电子科技大学通信工程学院,浙江杭州 310008
  • 收稿日期:2014-10-16 出版日期:2014-11-01 发布日期:2020-05-18
  • 作者简介:

    作者简介: 田玉杰(1987-),男,山东,硕士研究生,主要研究方向:信息安全;赵泽茂(1965-),男,四川,教授,博士,主要研究方向:信息安全与密码学;张海川(1989-),男,安徽,硕士研究生,主要研究方向:信息安全;李学双(1989-),男,河南,硕士研究生,主要研究方向:信息安全。

  • 基金资助:
    浙江省自然科学基金杰青团队项目[R109000138]

Second-order SQL Injection Attack Defense Model

Yu-jie TIAN(), Ze-mao ZHAO, Hai-chuan ZHANG, Xue-shuang LI   

  1. Department of Communication Engineering, Hangzhou Dianzi University, Hangzhou Zhejiang 310008, China
  • Received:2014-10-16 Online:2014-11-01 Published:2020-05-18

RichHTML

12

摘要:

随着互联网技术的快速发展, Web应用程序的使用也日趋广泛,其中基于数据库的Web应用程序己经广泛用于企业的各种业务系统中。然而由于开发人员水平和经验参差不齐,使得Web应用程序存在大量安全隐患。影响Web应用程序安全的因素有很多,其中SQL注入攻击是最常见且最易于实施的攻击, 且SQL注入攻击被认为是危害最广的。因此,做好SQL注入攻击的防范工作对于保证Web应用程序的安全十分关键, 如何更有效地防御 SQL 注入攻击成为重要的研究课题。SQL注入攻击利用结构化查询语言的语法进行攻击。传统的SQL注入攻击防御模型是从用户输入过滤和SQL语句语法比较的角度进行防御,当数据库中的恶意数据被拼接到动态SQL语句时,就会导致二阶SQL注入攻击。文章在前人研究的基础上提出了一种基于改进参数化的二阶SQL注入攻击防御模型。该模型主要包括输入过滤模块、索引替换模块、语法比较模块和参数化替换模块。实验表明,该模型对于二阶SQL注入攻击具有很好的防御能力。

关键词: 结构化查询语言, 二阶SQL注入攻击, 防御模型

Abstract:

With the rapid development of Internet technology, Web applications are becoming widespread, Web applications based on database have been widely used in a variety of enterprise business systems. However, due to the uneven experience of developers, there are a lot of security risks in Web applications. There are many factors that affect the security of Web applications. SQL injection attack is the most common and easiest to implement, and is considered to be the most destructive. Therefore, to prevent SQL injection attack is critical to Web applications, and how to prevent SQL injection attck effectively becomes an important research. The SQL injection attack uses the syntax of structured query language to attack. The traditional SQL injection attack defense model defenses SQL injection attacks by filtering user inputs and implementing syntax comparison, when malicious data in the database is added to the dynamic SQL statement, second-order SQL injection attack could occur. This paper proposes a second-order SQL injection attack defense model based on improved parameterized on the basis of previous studies. The proposed model consists of an input filter module, an index replacement module, a syntax comparison module and a parameterized replacement module. Experiments show that the proposed model can effectively prevent the second-order SQL injection attacks .

Key words: structured query language, second-order SQL injection attack, defense model

中图分类号: