SQL Injection Prevention Based on Sensitive Characters

Zhang Huilin; Ding Yu; Zhang Lihua; Duan Lei; Zhang Chao; Wei Tao; Li Guancheng; Han Xinhui

doi:10.7544/issn1000-1239.2016.20160443

Journal of Computer Research and Development > 2016 > 53(10): 2262-2276. > DOI: 10.7544/issn1000-1239.2016.20160443 CSTR: 32373.14.issn1000-1239.2016.20160443

Zhang Huilin, Ding Yu, Zhang Lihua, Duan Lei, Zhang Chao, Wei Tao, Li Guancheng, Han Xinhui. SQL Injection Prevention Based on Sensitive Characters[J]. Journal of Computer Research and Development, 2016, 53(10): 2262-2276. DOI: 10.7544/issn1000-1239.2016.20160443

Citation:

PDF (2783 KB)

SQL Injection Prevention Based on Sensitive Characters

¹(Institute of Computer Science and Technology, Peking University, Beijing 100080)
²(University of California at Berkeley, Berkeley, CA, 94720)
³(Baidu USA Limited Liability Company, Sunnyvale, CA, 94089)

More Information

Published Date: September 30, 2016

Graphical Abstract

Abstract

Abstract

SQL injection attacks are prevalent Web threats. Researchers have proposed many taint analysis solutions to defeat this type of attacks, but few are efficient and practical to deploy. In this paper, we propose a practical and accurate SQL injection prevention method by tainting trusted sensitive characters into extended UTF-8 encodings. Unlike typical positive taint analysis solutions that taint all characters in hard-coded strings written by the developer, we only taint the trusted sensitive characters in these hard-coded strings. Furthermore, rather than modifying Web application interpreter to track taint information in extra memories, we encode the taint metadata into the bytes of trusted sensitive characters, by utilizing the characteristics of UTF-8 encoding. Lastly, we identify and escape untrusted sensitive characters in SQL statements to prevent SQL injection attacks, without parsing the SQL statements. A prototype called PHPGate is implemented as an extension on the PHP Zend engine. The evaluation results show that PHPGate can protect Web applications from real world SQL injection attacks and introduce a low performance overhead (less than 1.6%).
- SQL injection attack,
- trusted sensitive character,
- dynamic taint analysis,
- positive taint analysis,
- UTF-8 encoding

FullText(HTML)

References (0)

[1]	Huang Heyan, Liu Xiao, Liu Qian. Knowledge-Enhanced Graph Encoding Method for Metaphor Detection in Text[J]. Journal of Computer Research and Development, 2023, 60(1): 140-152. DOI: 10.7544/issn1000-1239.202110927
[2]	Zhou Huisi, Ouyang Dantong, Tian Xinliang, Zhang Liming. A Novel Encoding for Model-Based Diagnosis[J]. Journal of Computer Research and Development, 2023, 60(1): 95-102. DOI: 10.7544/issn1000-1239.202110794
[3]	Guo Fangfang, Wang Xinyue, Wang Huiqiang, Lü Hongwu, Hu Yibing, Wu Fang, Feng Guangsheng, Zhao Qian. A Dynamic Stain Analysis Method on Maximal Frequent Sub Graph Mining[J]. Journal of Computer Research and Development, 2020, 57(3): 631-638. DOI: 10.7544/issn1000-1239.2020.20180846
[4]	Wang Lei, He Dongjie, Li Lian, Feng Xiaobing. Sparse Framework Based Static Taint Analysis Optimization[J]. Journal of Computer Research and Development, 2019, 56(3): 480-495. DOI: 10.7544/issn1000-1239.2019.20180071
[5]	Yue Hongzhou, Zhang Yuqing, Wang Wenjie, Liu Qixu. Android Static Taint Analysis of Dynamic Loading and Reflection Mechanism[J]. Journal of Computer Research and Development, 2017, 54(2): 313-327. DOI: 10.7544/issn1000-1239.2017.20150928
[6]	WangGaoli, GanNan. A Meet-in-the-Middle Attack on 8-Round mCrypton-96[J]. Journal of Computer Research and Development, 2016, 53(3): 666-673. DOI: 10.7544/issn1000-1239.2016.20148270
[7]	Han Tao, Zhu Yuefei, Lin Sisi, Wu Yang. Modified Matrix Encoding Based on the Spatial Distortion Model and Its Improvement[J]. Journal of Computer Research and Development, 2014, 51(7): 1467-1475.
[8]	Lü Shuai, Liu Lei, Wei Wei, and Gao Bingbing. Logical Encoding Methods in Intelligent Planning[J]. Journal of Computer Research and Development, 2012, 49(3): 607-619.
[9]	Hu Chaojian, Li Zhoujun, Guo Tao, Shi Zhiwei. Detecting the Vulnerability Pattern of Writing Tainted Value to Tainted Address[J]. Journal of Computer Research and Development, 2011, 48(8): 1455-1463.
[10]	Ji Xiuhua, Zhang Caiming, Liu Hui. A Fast 2D 8×8 DCT Algorithm Based on Look-Up Table for Image Compression[J]. Journal of Computer Research and Development, 2009, 46(4): 618-628.