Research And Implementation Of Multi-dimensional Preventing SQL Injection Attack Based On Web Sysytem

With the rapid development of the Internet,web applications increase fleetly.Nowadays,more and more critical business depend on Internet need web application to do,such as e-commerce,e-government affairs,social networking and so on.But Internet is open and lack of security.Web application development cycle is short,and the ability of developers is different.So the data of web application is easy to be stolen,modified,delete.Hence,ensuring data security in web applications is one of the most important tasks and field of study.The most important vulnerability as described in top 10 web security issues by OWASP(Open Web Application Security Project)is SQL Injection Attacks(SQLIA)from 2010 to now.SQLIA in simple terms,is a kind of behavior that the attacker injects malicious SQL commands through the request into the background database server,and ultimately cheat server performs the malicious command.After researching the principle and technology of SQLIA,this paper summarized the SQLIA's features,and divided them into two categories.One is common SQL injection attacks which contain some character strings;others which changed the logic structure of SQL.Through the study of the existing detection and prevention of SQLIA scheme,we propose a new scheme that defend SQLIA in multi dimension.This scheme make different treatment measures for the three layer structure of web application,in order to have a better effect on SQLIA.First is the web front-end defense module,which filter all requests of the users,ensure all data transmitted to the back-end of web application "clean" as far as possible.Second,this scheme joined the real-time supervision module in web application's business logic layer,which can detect the SQLIA by encrypting SQL keyword and statistical module.Then,the scheme design a user account module with salted hashing to further enhance the security of web application.Finally,the effectiveness of the proposed scheme is verified by experiments to prevent SQL injection attacks against Web applications.