首页 | 本学科首页   官方微博 | 高级检索  
     

基于代理模式的SQL注入过滤方法
引用本文:韩宸望,林晖,饶绪黎,黄川. 基于代理模式的SQL注入过滤方法[J]. 计算机系统应用, 2018, 27(1): 98-105
作者姓名:韩宸望  林晖  饶绪黎  黄川
作者单位:福建师范大学 数学与计算机科学学院, 福州 350117;福建师范大学 福建省网络安全与密码技术重点实验室, 福州 350117,福建师范大学 数学与计算机科学学院, 福州 350117;福建师范大学 福建省网络安全与密码技术重点实验室, 福州 350117,福州职业技术学院 信息技术工程系, 福州 350108,福建师范大学 数学与计算机科学学院, 福州 350117;福建师范大学 福建省网络安全与密码技术重点实验室, 福州 350117
基金项目:国家自然科学基金(61363068,61472083);福建省引导基金(2016Y0031);福州市科技局基金(2015-G-54,2015-G-84)
摘    要:针对Web安全中的SQL注入问题,提出了一种新的SQL注入过滤方法——LFS (length-frequency-SQL syntax tree)过滤方法. LFS方法包括学习和过滤两个阶段,其中,学习阶段在安全的环境下,通过爬虫和数据库代理构建URL和SQL语句映射表;过滤阶段通过对URL长度、访问频率及SQL语法树这三个方面进行检测,以此实现对用户输入进行过滤,防止SQL注入攻击. 仿真实验及结果分析表明LFS方法相较于传统的关键字过滤和正则表达式过滤能够更有效的防止SQL注入攻击.

关 键 词:SQL注入攻击  Web安全  用户输入过滤  SQL语法树
收稿时间:2017-04-16
修稿时间:2017-05-02

SQL Injection Filtering Method Based on Proxy Mode
HAN Chen-Wang,LIN Hui,RAO Xu-Li and HUANG Chuan. SQL Injection Filtering Method Based on Proxy Mode[J]. Computer Systems& Applications, 2018, 27(1): 98-105
Authors:HAN Chen-Wang  LIN Hui  RAO Xu-Li  HUANG Chuan
Affiliation:School of Mathematics and Computer Science, Fujian Normal University, Fuzhou 350117, China;Fujian Provincial Key Laboratory of Network Security and Cryptology, Fujian Normal University, Fuzhou 350117, China,School of Mathematics and Computer Science, Fujian Normal University, Fuzhou 350117, China;Fujian Provincial Key Laboratory of Network Security and Cryptology, Fujian Normal University, Fuzhou 350117, China,Department of Information Technology Engineering, Fuzhou Polytechnic, Fuzhou 350108, China and School of Mathematics and Computer Science, Fujian Normal University, Fuzhou 350117, China;Fujian Provincial Key Laboratory of Network Security and Cryptology, Fujian Normal University, Fuzhou 350117, China
Abstract:To solve the SQL injection problem in the Web security, a new SQL injection filtering method named LFS (length-frequency-SQL syntax tree) is proposed in this study. The LFS includes two phases: the learning and the filtering phase. In the learning phase, the URL and the SQL statement mapping table are built based on the crawler and the database agent in a secure environment. In the filtering phase, the URL length, the access frequency, and the SQL syntax tree are detected to filter the user input to prevent SQL injection attacks. Simulation experiments and results analysis denote that the proposed LFS method can prevent SQL injection attacks more effectively than the traditional keyword filtering and regular expression filtering methods.
Keywords:SQL injection attack  Web security  user input filtering  SQL syntax tree
点击此处可从《计算机系统应用》浏览原始摘要信息
点击此处可从《计算机系统应用》下载全文
设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号