通过统计模型和加密防范SQL注入攻击的研究

Prevent SQL Injection Attacks Using Encryption and Statistical Model

随着互联网的迅猛发展,Web应用呈现爆发式增长。电子商务、电子政务、互联网金融等越来越多基于互联网的关键业务要通过Web应用完成。但是,由于互联网的开放性和安全性缺陷,使通过网络环境存储数据的Web应用数据库很容易受到数据窃取、篡改、删除等危害。因此确保Web应用数据安全性是一项重要的现实任务和研究领域。根据OWASP的风险评估结果,从2010年至今,注入攻击始终位列榜首。本文通过对SQL注入攻击的研究,提出了一种通过加密技术和统计模型来防范SQL注入攻击的方案。首先通过统计模型对加入用户输入的SQL语句的前后进行统计对比,比较各类属性的数量是否发生变化,如果前后不一致,那么可以确定是一次SQL注入,对该SQL语句拒绝执行;然后通过对数据库中表名和字段名进行加密操作,进一步提高防范SQL注入攻击能力。

With the rapid development of the Internet,web application increases fleetly.More and more critical business which depends on Internet need web application to do,such as e-commerce,e-government affairs,Internet finance and so on.But Internet is open and lacking of security,so the data of web application is easy to be stolen, modified,and deleted.Hence,ensuring data security is one of most important tasks and field of study.Most important vulnerability as described in top 10 web security issues by OWASP(Open Web Application Security Project)is SQL Injection Attack(SQLIA).This paper research the SQLIA,then propose a method to detect and prevent SQLIA based on statistical model and encryption.The method consists of calculating original query and a query with injection sepa-rately and compare the two results are compared.If they are different,query is rejected and can be consider as a SQLIA.Then,our method encrypts the table names and attributes names to improve the ability of defending SQLIA.