| With the increasingly wide range of Internet, web applications become the primary part of web applications, supporting the financial, political, business and other fields of information publication and communication links. However, because the programmers are lack of safety awareness or level of experiences, Web application security problems are increasingly getting serious. "SQL injection" vulnerability has the highest incidence, the greatest danger in Web application security vulnerabilities.This thesis makes series of research on "SQL injection" detection technologies and prevention methods of Web application with SQL Server database. The main work of this thesis is summarized as follows:Firstly, this thesis analyzes the "SQL injection" process and implementation on the basis of researching the concept of "SQL injection", causes and characteristics, and generalizes 7 attacking patterns of "SQL injection", then proposes a new pattern of "SQL injection", providing unified theory support for "SQL injection" solutions.Secondly, this thesis analyzes the common "SQL injection" detection technologies and their advantages and disadvantages, and improves a prevention method from coding-level and platform-level, improving the "SQL injection" prevention accuracy and reducing the "SQL injection" risk effectively.Thirdly, this thesis analyzes main functions and injection process of two popular "SQL injection" tools by experiments and summarizes problems of the tools, then designs a "multi-thread analysis method" based on SQL Server to improve speed and injection possibility of the tools.Fourthly, this thesis implements a "SQL injection" tool for Web applications with SQL Server database based on the "multi-thread analysis method", and realizes detecting SQL injection and guessing the data. This tool is used in the security testing process of project "National research information sharing system" belonging to National Science and Technology Information Center and had a good result. |
PDF Full Text Request