| With the extensive use of the Internet, everyone's awareness of network security gradually improves. But at this time, the network's targets and attacking methods are also changing. Currently,attacks on the WEB applications become a new focus of attack and defense of Internet security, in all the attacks of the WEB application system, SQL injection is very serious security problemin as to a WEB application system. With this type of attack, the hacker can obtain access to the database of the WEB application without the authorization, so the hacker can get the company's confidential information such as account information, online transaction data, etc., in this case, Internet users and the company will be brought huge economic losses and insecurity, so that we should implement real-time,comprehensive, effective defense to SQL injection attack. Aiming to SQL injection, the SQL injection attack and defense should be given studied in-depth.At least 80% of the current web sites have SQL injection vulnerability, hackers can access to the site administrator's authority and information about the database because of vulnerabilities of WEB server and database and configuration of SQL statements by the illegal construction program or script into the server, in the more deadly case hackers can obtain the information and resources of the site, SQL injection is not only posing a serious hazard to the database information, butis seriously threatening to the system and Internet users themselves.First, the subject, background, current status and relevant research of this paper is put forward; then the technical background and the injection principle of SQL injection attack is researched, technical background includes relevantknowledge and ways, purpose, type, and injection process of SQL injection attack; then this paper has realized the real-time detection method of SQL injection attack, proposed instruction set randomization techniques to effectively guard against SQL injection method to build a prototype system. Firstly, this method procesdes random keywords of the SQL statement randomly, adds a random number to keywords which are to be handled, and combines a complete SQL statement with datas entered by Internet userd, then analyses the SQL statement with random program analysis. If the SQL statement is valid, the SQL statement is passed to the database to tackle after randomization.If the SQL statement is valid,make the record. Since illegal users do not know the key of randomized algorithms, so the SQL statement injected by unauthorized users is illegal. The defense system lies in between the WEB application server and database,which is transparent for the WEB's application and database,so the system can effectively prevent the SQL injection attack without changing the original source code of application and the server and database platform. |
PDF Full Text Request