摘要: PHP在Web应用程序开发中的广泛运用使得PHP Web应用程序成为众多恶意攻击者的攻击对象。基于此,通过对PHP解释器和运行时库的修改,使PHP Web应用程序无需修改便能够防御SQL注入攻击。与传统的利用动态着色方法防御漏洞不同,使用基于可信任输入的着色机制,采用SQL方言感知的检查方法,可解决传统方法防御Web漏洞的诸多问题,提高防御的准确率,消除误报。实验结果表明,该方法准确有效,对应用程序执行造成的负载较低。
关键词:
动态着色,
可信任输入,
方言感知,
注入攻击
Abstract: The wide-spread use of PHP in Web application development makes PHP Web application become the target of many malicious attackers. On the basis of this, through the modification of PHP interpreter and runtime libraries, the PHP Web applications can prevent SQL injection attack without the modification of the original applications. Different from traditional preventing method based on dynamic tainting, this paper uses the tainting mechanism based on trusted input tainting and SQL dialect-aware check method, solves many existing problems of traditional preventing methods. As a result, this method improves the preciseness of traditional preventing method, without any false positives. Experimental result shows that the method is precise and highly efficient, has little overhead for the PHP Web applications.
Key words:
dynamic tainting,
trusted input,
dialect-aware,
injection attack
中图分类号:
丁翔, 仇寅, 郑滔. 一种利用PHP防御SQL注入攻击的方法[J]. 计算机工程, 2011, 37(11): 152-154,157.
DING Xiang, CHOU Yin, ZHENG Tao. Method of Preventing SQL Injection Attack Using PHP[J]. Computer Engineering, 2011, 37(11): 152-154,157.