| With the increasing use of web applications,any form of attacks that we faced are prominent gradually.The SQL injection attacks(SQLIAs)have been the most dangerous way of web-based attacks,which will ultimately change the logic structure of the original SQL statement by attackers through constructing the malicious input data.Therefore,how to defense SQLIAs more effectively becomes an urgent problem.After analyzing the characteristics of the existing SQLIAs,it is concluded that there are obvious attack characters.In addition,any form of SQLIAs which are injected successfully will modify the logical structure of original SQL.Based on the above,the defense of SQLIAs will be divided into two part in this paper.On one hand,the common SQLIAs will be solved by using AOP through declaring the aspects and pointcuts.Although,the ability of this part is limited,it can avoid some problems such as database bottleneck and the database performance.On the other hand,in order to make up for the shortage of first part,it is necessary to check again for some SQLIAs.And this part named the validation of logical structure,which can defend against SQLIAs from the root of the attack.Firstly,the informations of the location of SQLIAs,signature,and the string of static SQL model can be obtained automatically by using code Analyzer.Then,the executed SQL statement should be captured dynamically by using AOP during the process of program execution.Finally,it can be judged whether there is a SQLIA or not by making the information of static analysis compare with dynamic information.Finally,this article makes a regular web project as experimental object,and then lists the different types of attacks to verify the validity of this method.Meanwhile,by making summary and analysis aimed to the existing research to enhance the feasibility of this method.The result shows that this method can solve SQLIAs effectively. |
PDF Full Text Request