通过语法分析防止SQL注入的身份验证机制

2015 International Conference on Trends in Automation, Communications and Computing Technology (I-TACT-15) Pub Date : 2015-12-01 DOI:10.1109/ITACT.2015.7492650

Ashwin Ramesh, Anirban Bhowmick, A. Lal

{"title":"通过语法分析防止SQL注入的身份验证机制","authors":"Ashwin Ramesh, Anirban Bhowmick, A. Lal","doi":"10.1109/ITACT.2015.7492650","DOIUrl":null,"url":null,"abstract":"With the growth in web based applications that employ database services, SQL Injection is becoming one of the repeatedly used exploits. It permits an intruder to gain control over the database of an application, thereby able to read and modify confidential data. This paper illustrates few different forms of SQL injection and based on observation, it is seen that SQL Injection is interpreted differently on different databases. Also, an effective solution is proposed for the prevention of these categories of injection attacks. The authors suggest an approach in which the value entered for every field is checked for an SQL injection attack by parsing it through a grammar that detects SQL injection. If successfully parsed then probably, an SQL injection attack was intended. If not, the entry was legitimate and the database can be coordinated.","PeriodicalId":336783,"journal":{"name":"2015 International Conference on Trends in Automation, Communications and Computing Technology (I-TACT-15)","volume":"155 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":"{\"title\":\"An authentication mechanism to prevent SQL injection by syntactic analysis\",\"authors\":\"Ashwin Ramesh, Anirban Bhowmick, A. Lal\",\"doi\":\"10.1109/ITACT.2015.7492650\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"With the growth in web based applications that employ database services, SQL Injection is becoming one of the repeatedly used exploits. It permits an intruder to gain control over the database of an application, thereby able to read and modify confidential data. This paper illustrates few different forms of SQL injection and based on observation, it is seen that SQL Injection is interpreted differently on different databases. Also, an effective solution is proposed for the prevention of these categories of injection attacks. The authors suggest an approach in which the value entered for every field is checked for an SQL injection attack by parsing it through a grammar that detects SQL injection. If successfully parsed then probably, an SQL injection attack was intended. If not, the entry was legitimate and the database can be coordinated.\",\"PeriodicalId\":336783,\"journal\":{\"name\":\"2015 International Conference on Trends in Automation, Communications and Computing Technology (I-TACT-15)\",\"volume\":\"155 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2015-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"4\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2015 International Conference on Trends in Automation, Communications and Computing Technology (I-TACT-15)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ITACT.2015.7492650\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 International Conference on Trends in Automation, Communications and Computing Technology (I-TACT-15)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ITACT.2015.7492650","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

摘要

随着使用数据库服务的基于web的应用程序的增长，SQL注入正在成为被反复使用的漏洞之一。它允许入侵者获得对应用程序数据库的控制，从而能够读取和修改机密数据。本文阐述了几种不同的SQL注入形式，通过观察，可以看出SQL注入在不同的数据库上的解释是不同的。同时，针对这两类注入攻击，提出了一种有效的防范方案。作者提出了一种方法，该方法通过检测SQL注入的语法对每个字段输入的值进行解析，以检查是否存在SQL注入攻击。如果成功解析，那么很可能是一次SQL注入攻击。如果不是，则该条目是合法的，并且可以协调数据库。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

An authentication mechanism to prevent SQL injection by syntactic analysis

With the growth in web based applications that employ database services, SQL Injection is becoming one of the repeatedly used exploits. It permits an intruder to gain control over the database of an application, thereby able to read and modify confidential data. This paper illustrates few different forms of SQL injection and based on observation, it is seen that SQL Injection is interpreted differently on different databases. Also, an effective solution is proposed for the prevention of these categories of injection attacks. The authors suggest an approach in which the value entered for every field is checked for an SQL injection attack by parsing it through a grammar that detects SQL injection. If successfully parsed then probably, an SQL injection attack was intended. If not, the entry was legitimate and the database can be coordinated.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2015 International Conference on Trends in Automation, Communications and Computing Technology (I-TACT-15)

自引率

0.00%

发文量