一种新的SQL注入防护方法的研究与实现

当前Wcb应用安全问题日益严峻，而SQI、注入是针对Wcb应用最为普遍的攻击手段之一。文中提出了一 种新的SQL注入防护方法。该方法通过将静态模式匹配与动态特征过滤配合使用，避免单一方法存在的不足，从而 达到良好的效果。该方法通过在安全环境下自动学习所有合法SQL语句，构建知识库;然后在实时工作环境下，利用 模式匹配算法将SQI、语句与知识库进行匹配，匹配成功则判定为合法SQI语句。对于匹配失败的SQI、语句并不立 即判定为非法，而是采用基于风险值的动态特征过滤算法进行深度特征检查，识别真正的非法SQL语句。基于本方 法，设计并实现了一个原型系统。测试结果表明，该原型系统具有较好的性能优势，并能够很好地解决一般防注入方 法带来的准确率与误报率之间的矛盾。

New Approach for SQL-injecton Detection

Web application security is a serious isssuc of information security, and SQL- injection is one of the most com- mon attacks. This paper proposed an approach to counter SQL Injection which combines static mod}matching and dy- namic fcaturcfiltering. It learned automatically the structure feature of all legal SQL statements to construct knowledge library in safe environments, and then matched every SQL statement with knowledge library in real environments. If succeeded , this SQL statement was considered to be legitimate. If failed, it was not determined to be illegal immediately. We would take depth-feature check based on Valucat Risk,and identitify the true illegal SQL statements. Experimental results prove that this proposed approach has good performance and perfect protection for SQL Injection.