摘要： 研究SQL注入攻击行为及语法特征，采用正则表达式对攻击特征进行描述，在此基础上设计Web服务端SQL注入攻击过滤模块，使Http请求被提交至系统模块处理前实现注入攻击检查。测试结果表明，与单纯基于关键字的过滤相比，基于正则表示的过滤具有更高的识别率和较低的误报率，加载了过滤模块的Web服务器能较好地拦截多种SQL注入攻击，并且服务延迟较小。

关键词: SQL注入, 正则表示, 服务端防御

Abstract: This paper researches SQL injection attack and grammatical features, constructs the regular expression for these attacks, and designs a SQL injection attack filter module inside Web server based on the filter rules using regular expression. It makes Http request realize injection attack detection before be submitted to the system module. Test results show that compared with filtering based on pure key-words, the filtering based on regular expression has higher recognition rate and lower false positive rate. Web server loaded with filtering module can defense SQL injection attacks effectively, and service delay is smaller.

Key words: SQL injection, regular expression, server defense

中图分类号: 

• TP393