SQL指令植入式攻擊可能導致與網路服務相連的資料庫系統遭受破壞或是資料庫內的資料遭到竊取。過去的研究多以防禦SQL指令植入式攻擊為目的,然而對於以預存程序為對象的攻擊較缺乏防禦做法,在本研究中我們將防禦範圍擴展到能處理發生於預存程序內的組合型SQL指令植入式攻擊。在靜態分析階段,除了分析網頁原始碼之外,並針對資料庫內的預存程序內容做分析,找出使用者輸入參數與程序內SQL指令之間的關係,在動態分析階段,使用者進行參數輸入時能夠檢查參數代入預存程序內與SQL指令結合後是否產生SQL指令植入式攻擊,將其阻擋並拒絕請求。藉由我們的防禦機制,使用者和網頁程式設計師可以 不需知道防禦程式如何運作狀態下即可達到防禦效果;系統管理者只需將防禦程式掛載於網頁伺服器端即可達到防禦功能。
SQL injection attacks may lead to data theft, content destruction, even database crash. Many defense mechanisms have been proposed to resolve explicit SQL injection attacks, where the attacks take advantage of the web application programs. However, defense against SQL injection attacks aiming at stored procedures provided by supporting database system have not been successfully addressed. In this study, we extend the input legitimacy validation method to SQL injection attack on stored procedures. Besides the web application program, the statics analysis is also performed on the stored procedures provided by database system to obtain knowledge on the relationships between user input parameters and the stored procedures. During on-line dynamic analysis phase, input parameters are verified according to the previously derived knowledge. If a potential SQL injection attack is detected, the user request will be rejected before forwarding to the web application programs. The proposed enhancement to the original method provides a more comprehensive defense on SQL injection attacks. Our method is transparent to users and web application program designers. It provides effective defense with no need to rewrite application programs.