CN103067376B - A kind of SQL injection attacks means of defences based on internal memory - Google Patents
A kind of SQL injection attacks means of defences based on internal memory Download PDFInfo
- Publication number
- CN103067376B CN103067376B CN201210575897.1A CN201210575897A CN103067376B CN 103067376 B CN103067376 B CN 103067376B CN 201210575897 A CN201210575897 A CN 201210575897A CN 103067376 B CN103067376 B CN 103067376B
- Authority
- CN
- China
- Prior art keywords
- user
- user profile
- information
- checking
- memory database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000002347 injection Methods 0.000 title claims abstract description 25
- 239000007924 injection Substances 0.000 title claims abstract description 25
- 238000012795 verification Methods 0.000 claims abstract description 6
- 230000001360 synchronised effect Effects 0.000 claims abstract description 5
- 238000012986 modification Methods 0.000 abstract description 10
- 230000004048 modification Effects 0.000 abstract description 10
- 238000000034 method Methods 0.000 abstract description 8
- 238000013459 approach Methods 0.000 abstract description 3
- 230000000052 comparative effect Effects 0.000 abstract description 3
- 230000003993 interaction Effects 0.000 description 4
- 238000010200 validation analysis Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 240000007643 Phytolacca americana Species 0.000 description 1
- 238000013502 data validation Methods 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000012634 fragment Substances 0.000 description 1
- 230000004899 motility Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a kind of SQL injection attacks means of defences based on internal memory, comprise the steps:User's registration:User profile is put into data base, and is put in memory database;User changes:The user profile of modification data base, the user profile of synchronous vacations memory database;User's checking:Condition selecting memory database pattern or database schema according to configuration item verifies user profile.One aspect of the present invention is compared as the verification condition that checking information is submitted to user with the key-value pair information for storing in advance by NoSQL memory databases.Traditional SQL statement comparative approach fundamentally instead of, it is to avoid the generation of SQL injections.On the other hand, whole proof procedure is all based on the calculating of internal storage data, does not interact with the hard disk storage medium of server, so as to substantially increase operational efficiency.
Description
Technical field
The present invention relates to a kind of SQL injection attacks means of defence, more particularly to a kind of SQL injection attacks based on internal memory are anti-
Maintaining method, belongs to technical field of network security.
Background technology
With the development of Internet, based on the Web application systems of B/S patterns, such as e-commerce system, E-Government
System etc. is increasingly favored by every user.Most of Web application systems need to interact with user.Apply in user
When interacting to server application, the behavior of user is verified, controlled and record to server by login interface, serves protection operation
The effect of safety.
Traditional database authentication pattern, typically user are on login interface, after inputing user name, password, first in visitor
Family end carries out data validation, if data are illegal(The character that do not allow be input into such as have input)Or content is sky, then
Two information are otherwise submitted to background program by prompting user input mistake.In the background program of server end, by the two
Information through combing, in the persistence medium of storing user's registered information(Such as data base, file)In, to should user registration
Information is compared, if be proved to be successful, sets up the session information of the user, and allows User logs in background page.With
In the whole interaction of family and server end, using the information of session, Authority Verification is carried out to user.System is published in user
Afterwards, session information is nullified.If checking is unsuccessful, user login information mistake is pointed out, and returns to login interface.But,
There are the following problems for traditional database authentication pattern:Client server checking is not strict, it is impossible to avoid user input
Some illegal information, wherein most it is a risk that SQL injections.
So-called SQL injections, exactly by submitting or input domain Web lists are inserted into through well-designed sql command
Name or the inquiry string of page request, final spoofing server execute the sql command of malice, and such as a lot of network site of cinema and TV are revealed
VIP membership passwords submit polling character realization by Web lists mostly, and this kind of list is particularly susceptible to SQL injections
Formula is attacked.As SQL injections are accessed from normal WWW ports, and seem access there is no what area with normal Web page
Not, so fire wall conventional at present can't detect SQL injections.
The basic skills that is injected using SQL, executes sentence to the username and password information that submits to as follows when verifying:
”Select*from aa_user where user_name=’”.$user_name.”’and password='”.
$password.”'Limit1”
Wherein, $ user_name and $ password are two variables, refer to user respectively by login interface to server
The username and password information of submission.When according to above-mentioned SQL statement, this number for having user's submission when user's the exterior and the interior is demonstrated
According to(Username and password is concurrently present in a record)When, then return recording collection, expression are proved to be successful, and otherwise return empty.
When username and password is all input into:' or1 when, the SQL of script is split into following sentence:
Select*from aa_user where user name=''or1and password=''or1limit1
By this SQL statement with or execution sequence, bypassed the checking to username and password, it is possible to achieve illegal
Log in, steal the purpose of user profile.
Content of the invention
For the deficiency existing for prior art, the technical problem to be solved is to provide one kind based on internal memory
SQL injection attacks means of defences.The method can prevent SQL injection attacks, can greatly improve server user authentication again
Speed.
For realizing that above-mentioned goal of the invention, the present invention adopt following technical schemes:
A kind of SQL injection attacks means of defences based on internal memory, comprise the steps:
User's registration:User profile is put into data base, and is put in memory database;
User changes:The user profile of modification data base, the user profile of synchronous vacations memory database;
User's checking:Condition selecting memory database pattern or database schema according to configuration item verifies user's letter
Breath.
Wherein more preferably, the user profile is deposited with key-value pair form in memory database, wherein,
User name is key, and checking information is value.
Wherein more preferably, the condition selecting memory database pattern or database schema checking use according to configuration item
The step of family information, further includes:
Judge the state of configuration item;
If configuration item is verified from memory database, connection memory database checking user profile;
If configuration item is verified from data base, connect database authentication user profile.
Wherein more preferably, further include the step of the connection memory database checking user profile:
Judge whether and memory database successful connection;
If connection memory database success, the NameSpace of user profile is obtained, and judge to verify user profile;
If connection memory database is unsuccessful, user profile is verified from data base.
Wherein more preferably, then the NameSpace for obtaining user profile, and judge that the step of verifying user profile enters one
Step includes:
Judge the NameSpace of user profile;
If sky, the information of all users is traveled through from data base, construct hash data, and verify and treat that login user is believed
Breath;
If being not sky, user profile is verified according to user name.
Wherein more preferably, further include the step of the checking user profile according to user name:
According to user name, inquire about and judge that username information is recorded, and verify the encrypted message of record:If incorrect,
Return error message;If correct, the key assignments in memory database is returned.
SQL injection attacks means of defences based on internal memory provided by the present invention, on the one hand pass through NoSQL internal storage datas
Storehouse, is compared as the verification condition that checking information is submitted to user with the key-value pair information for storing in advance, fundamentally
Instead of traditional SQL statement comparative approach, it is to avoid the generation of SQL injections.On the other hand, whole proof procedure is all based on
The calculating of internal storage data, is not interacted with the hard disk storage medium of server, so as to substantially increase operational efficiency.
Description of the drawings
Fig. 1 is the schematic flow sheet of the SQL injection attacks means of defences based on internal memory provided by the present invention.
Specific embodiment
The present invention is described in further detail with reference to the accompanying drawings and detailed description
The present invention provides a kind of SQL injection attacks means of defences based on internal memory, comprises the steps:User's registration:Will
User profile is put into data base, and is put in memory database;User changes:The user profile of modification data base, synchronous vacations
The user profile of memory database;User's checking:Condition selecting memory database pattern or data base's mould according to configuration item
Formula verifies user profile.Below the SQL injection attacks means of defence based on internal memory is launched to describe in detail.
First, the user's registration stage is introduced:When application for registration is submitted to user orientation server, need to provide use to server
Family information, user profile include that log-on message and necessary checking information, server preserve these information after receiving.User's registration
Information generally comprises user name.Checking information generally comprises password and other checking informations(For example, enterprise ID, role, authority letter
Breath, mailbox etc.).These information are stored in after receiving these user profile that user submits to server the data base of server
In, and these information are put in memory database.In one embodiment of the invention, the preferred non-relational of memory database
Data base, such as NoSQL memory databases.When NoSQL memory databases deposit these user profile, log-on message and test
Card information is preferably deposited with key-value pair form, wherein key name of the field of unique identification as key-value pair(The use that for example registers
Name in an account book);Other confirmatory information are used as key assignments(It can be the array character string after serializing).Following code specifically may be referred to
Shown:
Secondly, user's modification stage is introduced:User submit to log-on message after be not fee from the change to user profile or
Delete.User profile when user changes or deletes user profile in server modification data base, while server is also synchronous
The user profile of modification memory database.The modification of UUI user-to-user information is not without restriction, in order to avoid user's
Modification operation is affected on efficiency, needs to be limited in the range of user's acceptable, and user profile modification quantity is limited.
Finally, the user's checking stage is introduced:Configuration item is set in the server, and the configuration item is used for being arranged on user's submission
Select to verify by memory database model validation or database schema during logging request.If not starting memory database mould
Formula, then default database Validation Mode, so plays a part of to protect database authentication pattern, and embodies this external hanging type design
Motility.If after starting memory database pattern, preferential selection adopts memory database pattern.
After user submits log-on message or modification user profile to, login service device is needed to carry out the interaction behaviour of some needs
Make, in login service device, need to verify according to the user profile that configuration item state submits user to.It is described as follows:
In the present invention, when user is to submission logging request, the login letter that the state according to configuration item is submitted to user
Breath, server need to be stored in the checking of the checking information in internal memory using database combination.
As shown in figure 1, when server receives the log-on message of user's submission, first, first judging the state of configuration item;Such as
Fruit configuration item is verified from memory database, connection memory database checking user profile;If configuration item is from data base
Middle checking, connects database authentication user profile.Database schema checking user profile belongs to existing known technology, and here is not
It is described in detail again.Below memory database model validation user profile is elaborated.
Secondly, according to configuration item connection memory database checking user profile.The present invention is used by memory database checking
During the information of family, first have to judge whether and memory database successful connection;If connection memory database success, obtains internal memory
The NameSpace of user profile in data base(For example:SYS_USER_INFO), and verify user profile;If poke in connection
Unsuccessful according to storehouse, then return checking user profile from data base.
Again, the NameSpace of user profile is obtained, and verifies user profile.The present invention is empty using the name of user profile
Between verify user profile when, first have to the NameSpace for judging user profile;If sky, then from data base, traversal institute is useful
The information at family, constructs its hash data, and treats login user information with the data verification;If being not sky, according to user name
Checking user profile.
Finally, user profile is verified according to user name.According to user name, the present invention inquires about and judges that username information is remembered
Record, and verify the encrypted message of record.If user name or password bad, error message is returned;If correct, internal memory is returned
Key assignments in data base.The key assignments then these being stored in internal memory write direct program session in, User logs in flow process tie
Beam.
In the present invention, when invader is input into the SQL statement fragment that malice splits, these data can be submitted to internal memory
In, and the verification method of key-value pair, without SQL statement with or relation, when verifying that its user name that submits to is not present, or password
After mistake, error message is directly returned.
When verifying from data base to user's checking, server is asked to each user's checking, can all inquire about data base
Table or file system.Inevitably carry out and exterior storage medium(Abbreviation external memory)Interaction.And the interaction of external memory is machine
Tool formula, interact with the electronic type of internal memory and generally have 106~109Speed difference again.Using the present invention provide based on internal memory
SQL injection attacks means of defences, whole proof procedure in the internal memory of server are run with the speed of electronic type, are substantially improved
Operational efficiency.The following is the comparison of hard disk transmission speed and internal memory transmission speed:
In sum, one aspect of the present invention passes through NoSQL memory databases, with the key-value pair information conduct for storing in advance
Checking information, the verification condition that is submitted to user are compared, and fundamentally be instead of traditional SQL statement comparative approach, are kept away
The generation of SQL injections is exempted from.On the other hand, whole proof procedure is all based on the calculating of internal storage data, not with server
Hard disk storage medium is interacted, so as to substantially increase operational efficiency.
Above the SQL injection attacks means of defences based on internal memory provided by the present invention have been described in detail.Right
For one of ordinary skill in the art, on the premise of without departing substantially from true spirit to it done any apparent
Change, all will constitute to infringement of patent right of the present invention, corresponding legal responsibility will be undertaken.
Claims (3)
1. a kind of SQL injection attacks means of defences based on internal memory, it is characterised in that comprise the steps:
User's registration:User profile is put in memory database, the user profile includes log-on message and checking information;Its
In, the log-on message and the checking information are deposited with key-value pair form, and using the field of unique identification as key assignments
To key name, checking information is used as key assignments;
User changes:The user profile of synchronous vacations memory database when the user profile of data base is changed;
User's checking:According to the state connection memory database of configuration item, the NameSpace of user profile after successful connection, is obtained
And then verifying that user profile, the verification condition that is submitted to user with the key-value pair information for prestoring are compared, it is to avoid SQL is noted
The generation for entering;Wherein,
The step of NameSpace for obtaining user profile and then checking user profile, further includes:
Judge the NameSpace of user profile;
If sky, the information of all users is traveled through from data base, construct hash data, and verify and treat login user information;
If being not sky, according to user name, inquire about and judge that username information is recorded, and verify the encrypted message of record:Such as
Really incorrect, return error message;If correct, the key assignments in memory database is returned.
2. SQL injection attacks means of defences based on internal memory as claimed in claim 1, it is characterised in that:
The field of the unique identification is user name.
3. SQL injection attacks means of defences based on internal memory as claimed in claim 1, it is characterised in that connection memory database
The step of checking user profile, further includes:
If connection memory database is unsuccessful, user profile is verified from data base.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210575897.1A CN103067376B (en) | 2012-12-26 | 2012-12-26 | A kind of SQL injection attacks means of defences based on internal memory |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210575897.1A CN103067376B (en) | 2012-12-26 | 2012-12-26 | A kind of SQL injection attacks means of defences based on internal memory |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103067376A CN103067376A (en) | 2013-04-24 |
| CN103067376B true CN103067376B (en) | 2017-03-15 |
Family
ID=48109838
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210575897.1A Active CN103067376B (en) | 2012-12-26 | 2012-12-26 | A kind of SQL injection attacks means of defences based on internal memory |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103067376B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110069539B (en) * | 2019-05-05 | 2021-08-31 | 上海缤游网络科技有限公司 | Data association method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101256578A (en) * | 2008-04-08 | 2008-09-03 | 中兴通讯股份有限公司 | Method for implementing multi-user in internal memory database |
| CN101320392A (en) * | 2008-07-17 | 2008-12-10 | 中兴通讯股份有限公司 | High-capacity data access method and device of internal memory database |
| CN101976251A (en) * | 2010-10-26 | 2011-02-16 | 国电南瑞科技股份有限公司 | Method for realizing power utilization information acquisition terminal embedded database management model |
-
2012
- 2012-12-26 CN CN201210575897.1A patent/CN103067376B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101256578A (en) * | 2008-04-08 | 2008-09-03 | 中兴通讯股份有限公司 | Method for implementing multi-user in internal memory database |
| CN101320392A (en) * | 2008-07-17 | 2008-12-10 | 中兴通讯股份有限公司 | High-capacity data access method and device of internal memory database |
| CN101976251A (en) * | 2010-10-26 | 2011-02-16 | 国电南瑞科技股份有限公司 | Method for realizing power utilization information acquisition terminal embedded database management model |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103067376A (en) | 2013-04-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9578015B2 (en) | Step-up authentication for single sign-on | |
| CN102202040B (en) | Client authentication method and device | |
| US8392969B1 (en) | Method and apparatus for hosting multiple tenants in the same database securely and with a variety of access modes | |
| US8209394B2 (en) | Device-specific identity | |
| KR100920871B1 (en) | Methods and systems for authentication of a user for sub-locations of a network location | |
| CN105871838B (en) | A kind of log-in control method and customer center platform of third party's account | |
| US8402527B2 (en) | Identity broker configured to authenticate users to host services | |
| US7979899B2 (en) | Trusted device-specific authentication | |
| US8893242B2 (en) | System and method for pool-based identity generation and use for service access | |
| US20170180347A1 (en) | Distributed password verification | |
| CN101699820B (en) | Method and device for authenticating dynamic passwords | |
| CN110069908A (en) | A kind of authority control method and device of block chain | |
| US20110314532A1 (en) | Identity provider server configured to validate authentication requests from identity broker | |
| CN107786571A (en) | A kind of method of user's unified certification | |
| US20100325687A1 (en) | Systems and Methods for Custom Device Automatic Password Management | |
| JP5013931B2 (en) | Apparatus and method for controlling computer login | |
| WO2014048749A1 (en) | Inter-domain single sign-on | |
| CN105577835B (en) | Cross-platform single sign-on system based on cloud computing | |
| CN105306423B (en) | Unified login method for distribution Web web station system | |
| Wang et al. | Cracking IoT device user account via brute-force attack to SMS authentication code | |
| CN105978994B (en) | A kind of login method of web oriented system | |
| WO2022083212A1 (en) | Blockchain-based cloud platform authentication method, system and device and medium | |
| US8176533B1 (en) | Complementary client and user authentication scheme | |
| CN109600342B (en) | Unified authentication method and device based on single-point technology | |
| CN103067376B (en) | A kind of SQL injection attacks means of defences based on internal memory |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |