The Implementation Of A Multi-function SQL Injection Detection System And Research On Prevention

With an increasingly extensive application of the network, people attach more and more importance to network security. At the same time, changes take place in the targets and methods of network attacks. At present, attacks aimed at Web applications have become a new focus of network security attack and defense. SQL injection has become a serious security risk among all the attacks against Web application. The SQL injection attack allows an attacker to access the underlying database unrestrictedly, and furthermore, retrieves the confidential information of the corporation and the network user, such as bank account number, transaction data, etc. SQL injection can cause great distress and economic losses to enterprises and Internet users, so there is an urgent requirement for comprehensive defense to SQL injection attacks. For this reason, this paper conducts an in-depth research on SQL injection and defense.Firstly, the paper elaborates the background of this subject, status and main research contents. Secondly, it explores the technical background and theory of the SQL injection attacks. The former includes rudimental knowledge about website, the method, motive, categorization and procedure of SQL injection attack, which helps to realize a multi-function SQL injection detection system. Finally, the paper puts forward a novel prevention method based on parse tree originating from the existing defense method.In this paper, it designs and realizes a multi-function SQL injection detection system, which supports both manual and automatic SQL injection. Automatic SQL injection increases the speed of SQL injection, and manual SQL injection makes SQL injection more flexible. The SQL injection attack in this system can be achieved in three ways: general injection, violence guess solution and dictionary guess solution.Meanwhile, the paper gives a novel prevention method based on parse-tree for dynamic detection of SQL injection attacks, which improves the accuracy of detection of SQL injection. This design idea of API function lightens the burden on programmer who composes filtration code, and avoid the incomplete filtration might be brought about by them.