• 中国精品科技期刊
  • CCF推荐A类中文期刊
  • 计算领域高质量科技期刊T1类
Advanced Search
Zhang Huilin, Ding Yu, Zhang Lihua, Duan Lei, Zhang Chao, Wei Tao, Li Guancheng, Han Xinhui. SQL Injection Prevention Based on Sensitive Characters[J]. Journal of Computer Research and Development, 2016, 53(10): 2262-2276. DOI: 10.7544/issn1000-1239.2016.20160443
Citation: Zhang Huilin, Ding Yu, Zhang Lihua, Duan Lei, Zhang Chao, Wei Tao, Li Guancheng, Han Xinhui. SQL Injection Prevention Based on Sensitive Characters[J]. Journal of Computer Research and Development, 2016, 53(10): 2262-2276. DOI: 10.7544/issn1000-1239.2016.20160443

SQL Injection Prevention Based on Sensitive Characters

More Information
  • Published Date: September 30, 2016
  • SQL injection attacks are prevalent Web threats. Researchers have proposed many taint analysis solutions to defeat this type of attacks, but few are efficient and practical to deploy. In this paper, we propose a practical and accurate SQL injection prevention method by tainting trusted sensitive characters into extended UTF-8 encodings. Unlike typical positive taint analysis solutions that taint all characters in hard-coded strings written by the developer, we only taint the trusted sensitive characters in these hard-coded strings. Furthermore, rather than modifying Web application interpreter to track taint information in extra memories, we encode the taint metadata into the bytes of trusted sensitive characters, by utilizing the characteristics of UTF-8 encoding. Lastly, we identify and escape untrusted sensitive characters in SQL statements to prevent SQL injection attacks, without parsing the SQL statements. A prototype called PHPGate is implemented as an extension on the PHP Zend engine. The evaluation results show that PHPGate can protect Web applications from real world SQL injection attacks and introduce a low performance overhead (less than 1.6%).
  • Related Articles

    [1]Huang Heyan, Liu Xiao, Liu Qian. Knowledge-Enhanced Graph Encoding Method for Metaphor Detection in Text[J]. Journal of Computer Research and Development, 2023, 60(1): 140-152. DOI: 10.7544/issn1000-1239.202110927
    [2]Zhou Huisi, Ouyang Dantong, Tian Xinliang, Zhang Liming. A Novel Encoding for Model-Based Diagnosis[J]. Journal of Computer Research and Development, 2023, 60(1): 95-102. DOI: 10.7544/issn1000-1239.202110794
    [3]Guo Fangfang, Wang Xinyue, Wang Huiqiang, Lü Hongwu, Hu Yibing, Wu Fang, Feng Guangsheng, Zhao Qian. A Dynamic Stain Analysis Method on Maximal Frequent Sub Graph Mining[J]. Journal of Computer Research and Development, 2020, 57(3): 631-638. DOI: 10.7544/issn1000-1239.2020.20180846
    [4]Wang Lei, He Dongjie, Li Lian, Feng Xiaobing. Sparse Framework Based Static Taint Analysis Optimization[J]. Journal of Computer Research and Development, 2019, 56(3): 480-495. DOI: 10.7544/issn1000-1239.2019.20180071
    [5]Yue Hongzhou, Zhang Yuqing, Wang Wenjie, Liu Qixu. Android Static Taint Analysis of Dynamic Loading and Reflection Mechanism[J]. Journal of Computer Research and Development, 2017, 54(2): 313-327. DOI: 10.7544/issn1000-1239.2017.20150928
    [6]WangGaoli, GanNan. A Meet-in-the-Middle Attack on 8-Round mCrypton-96[J]. Journal of Computer Research and Development, 2016, 53(3): 666-673. DOI: 10.7544/issn1000-1239.2016.20148270
    [7]Han Tao, Zhu Yuefei, Lin Sisi, Wu Yang. Modified Matrix Encoding Based on the Spatial Distortion Model and Its Improvement[J]. Journal of Computer Research and Development, 2014, 51(7): 1467-1475.
    [8]Lü Shuai, Liu Lei, Wei Wei, and Gao Bingbing. Logical Encoding Methods in Intelligent Planning[J]. Journal of Computer Research and Development, 2012, 49(3): 607-619.
    [9]Hu Chaojian, Li Zhoujun, Guo Tao, Shi Zhiwei. Detecting the Vulnerability Pattern of Writing Tainted Value to Tainted Address[J]. Journal of Computer Research and Development, 2011, 48(8): 1455-1463.
    [10]Ji Xiuhua, Zhang Caiming, Liu Hui. A Fast 2D 8×8 DCT Algorithm Based on Look-Up Table for Image Compression[J]. Journal of Computer Research and Development, 2009, 46(4): 618-628.

Catalog

    Article views (1893) PDF downloads (821) Cited by()

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return