A Defense against SQL Injection Attack through Validation on Input Legitimacy
碩士 === 中原大學 === 資訊工程研究所 === 97 === The development of Web 2.0 brings in the prevalence of web application services based on database support. Along with the increasing interaction with database, web application service programs become complicate, which makes it difficult to guarantee that SQL query...
Main Authors: | , |
---|---|
Other Authors: | |
Format: | Others |
Language: | zh-TW |
Published: |
2009
|
Online Access: | http://ndltd.ncl.edu.tw/handle/44317375982863901114 |
id |
ndltd-TW-097CYCU5392032 |
---|---|
record_format |
oai_dc |
spelling |
ndltd-TW-097CYCU53920322015-10-13T12:04:54Z http://ndltd.ncl.edu.tw/handle/44317375982863901114 A Defense against SQL Injection Attack through Validation on Input Legitimacy 以合理輸入值驗證為基礎之SQL指令植入式攻擊防禦 Ching-Ju Wu 吳靜茹 碩士 中原大學 資訊工程研究所 97 The development of Web 2.0 brings in the prevalence of web application services based on database support. Along with the increasing interaction with database, web application service programs become complicate, which makes it difficult to guarantee that SQL query constructed using user input is safe to database. Therefore, an effective defense mechanism against SQL injection attack from malicious user is important to the safe use of the valuable content in the database. In this thesis, a novel defense scheme is proposed. Before a web application service program is put into work, a static analysis process is applied to determine the type of each user supplied parameter to be used in constructing SQL queries. Later, when a user input is received at web server at run time, a validation procedure is performed to determine the legitimacy of the input according to its type before it is delivered to corresponding application program to construct SQL query. In this way, the possibility of constructing illegal SQL queries is eliminated. The scheme focus on the input parameters directly related to SQL query construction, which makes it possible to follow SQL syntax precisely and allow atypical yet proper input value. The scheme also avoid the problem of leaking of information internal to the web application service since the validation procedure is performed at web server before user input is delivered to the corresponding application programs. The proposed scheme is transparent to both user and the program developer. It only requires administration effort to run the static analysis process on application programs and to install the validation module in web server to achieve the desired protection against SQL injection attacks. Hsiao-Rong Tyan 田筱榮 2009 學位論文 ; thesis 47 zh-TW |
collection |
NDLTD |
language |
zh-TW |
format |
Others
|
sources |
NDLTD |
description |
碩士 === 中原大學 === 資訊工程研究所 === 97 === The development of Web 2.0 brings in the prevalence of web application services based on database support. Along with the increasing interaction with database, web application service programs become complicate, which makes it difficult to guarantee that SQL query constructed using user input is safe to database. Therefore, an effective defense mechanism against SQL injection attack from malicious user is important to the safe use of the valuable content in the database. In this thesis, a novel defense scheme is proposed. Before a web application service program is put into work, a static analysis process is applied to determine the type of each user supplied parameter to be used in constructing SQL queries. Later, when a user input is received at web server at run time, a validation procedure is performed to determine the legitimacy of the input according to its type before it is delivered to corresponding application program to construct SQL query. In this way, the possibility of constructing illegal SQL queries is eliminated. The scheme focus on the input parameters directly related to SQL query construction, which makes it possible to follow SQL syntax precisely and allow atypical yet proper input value. The scheme also avoid the problem of leaking of information internal to the web application service since the validation procedure is performed at web server before user input is delivered to the corresponding application programs. The proposed scheme is transparent to both user and the program developer. It only requires administration effort to run the static analysis process on application programs and to install the validation module in web server to achieve the desired protection against SQL injection attacks.
|
author2 |
Hsiao-Rong Tyan |
author_facet |
Hsiao-Rong Tyan Ching-Ju Wu 吳靜茹 |
author |
Ching-Ju Wu 吳靜茹 |
spellingShingle |
Ching-Ju Wu 吳靜茹 A Defense against SQL Injection Attack through Validation on Input Legitimacy |
author_sort |
Ching-Ju Wu |
title |
A Defense against SQL Injection Attack through Validation on Input Legitimacy |
title_short |
A Defense against SQL Injection Attack through Validation on Input Legitimacy |
title_full |
A Defense against SQL Injection Attack through Validation on Input Legitimacy |
title_fullStr |
A Defense against SQL Injection Attack through Validation on Input Legitimacy |
title_full_unstemmed |
A Defense against SQL Injection Attack through Validation on Input Legitimacy |
title_sort |
defense against sql injection attack through validation on input legitimacy |
publishDate |
2009 |
url |
http://ndltd.ncl.edu.tw/handle/44317375982863901114 |
work_keys_str_mv |
AT chingjuwu adefenseagainstsqlinjectionattackthroughvalidationoninputlegitimacy AT wújìngrú adefenseagainstsqlinjectionattackthroughvalidationoninputlegitimacy AT chingjuwu yǐhélǐshūrùzhíyànzhèngwèijīchǔzhīsqlzhǐlìngzhírùshìgōngjīfángyù AT wújìngrú yǐhélǐshūrùzhíyànzhèngwèijīchǔzhīsqlzhǐlìngzhírùshìgōngjīfángyù AT chingjuwu defenseagainstsqlinjectionattackthroughvalidationoninputlegitimacy AT wújìngrú defenseagainstsqlinjectionattackthroughvalidationoninputlegitimacy |
_version_ |
1716852147639812096 |