Design And Realization Of Middleware Against SQL Injection Attacks

With the rapid development of the computer network technology today, the role of database technology on storing and managing important data is more and more apparent.At the same time, the targets and methods of network attacks are constantly changing. Among them, the attacks against web applications account for a large part, especially the presence of SQL injection vulnerabilities brings web applications serious security risk. Via constructing data cleverly, the attacker can submit requests for malicious page, and access to and control the background database of network applications, including corporate and network user's confidential information, such as transaction data, bank account, etc., and this will bring tremendous economic losses to network users and enterprise, so the requirement of defending the SQL injection attacks in web applications is very urgent today.In recent years, SQL injection attacks are continually used and have had a sustainable development, and show their diversity and invisibility, which bring high technological threshold, big investment, poor usability and week cooperatative ability in web application. In such a case, the middleware for SQL injection attacks defense emerges as the requirement of times.The design ideas of the model are the combinations of defending SQL injection attacks technology and the middleware technology, which means that separating the SQL injection attack defense module from the web application to be as a common software, then both of them becoming a loose coupling relationship. Therefore, it can raise re-usability of software and also reduce difficulty of Web application software's development.The main research subjects of this Paper are as follows:(1) Design the architecture of the middleware for SQL injection attack defense, and give a simple theoretical analysis, and show the details of the middleware in different working mode, and introduce the principle of the middleware on detecting SQLIA, as well as the function of the component modules.(2) Reallize the middleware as designed before, including the detailed design and implementation of the application programming interface, and descript the detailed implementation of analyzer and the responser, such as the design of service layer, the design of persistence, and the design of database.(3) Apply the middleware for SQL injection attack defense to an open source web application, where exists SQL injection vulnerabilities. And then make several experimental SQL injection attacks to test the function and performance of the middleware.