Summary of the invention
The embodiment of the present invention provides a kind of database security access control method and system, in order to prevent SQL injection attacks, strengthens the security control intensity of Database Systems.
According to an aspect of the present invention, provide a kind of database security access control method, having comprised:
The data access request sending from request of data source to target database server, parse pending Structured Query Language (SQL) SQL statement, and parse the identification information of the identification information in described request of data source, described target database server as the attribute information of described data access request;
According to the attribute information of described data access request, from access control rule storehouse, find out after the access control rule corresponding with described attribute information, the pending SQL statement parsing and the SQL statement storehouse in the access control rule finding out are compared;
If comparative result is: described pending SQL statement is the normal SQL statement in described SQL statement storehouse, described data access request is sent to described target database server;
If comparative result is: described pending SQL statement is the illegal SQL statement in described SQL statement storehouse, block the access of described request of data source to described target database server.
Preferably, described SQL statement storehouse in described pending SQL statement and described access control rule is compared after, also comprise:
If comparative result is: described pending SQL statement is neither the normal SQL statement in described SQL statement storehouse, the illegal SQL statement in neither described SQL statement storehouse:
Send the information of differentiating SQL statement to keeper; And
The SQL statement that receives described keeper's input is differentiated after indication information, differentiates indication information according to described SQL statement, carries out corresponding operating:
If described SQL statement differentiation indication information is specially the differentiation indication information of normal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as normal SQL statement, and described data access request is sent to described target database server;
If described SQL statement differentiation indication information is specially the differentiation indication information of illegal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as illegal SQL statement, and block the access of described request of data source to described target database server.
Preferably, described access control rule storehouse sets in advance:
For each target database server, the access control rule that relates to this target database server is set in described access control rule storehouse with following method:
Access the request of data source of this target database server for each permission, using the identification information in the identification information of this target database server and this request of data source after attribute information, this target database server is allowed to the SQL statement of carrying out for this request of data source, as the normal SQL statement in the SQL statement storehouse in should the access control rule of attribute information; This target database server is not allowed to the SQL statement of carrying out for this request of data source, as the illegal SQL statement in the SQL statement storehouse in should the access control rule of attribute information.
Preferably, the pending SQL statement parsing described in is one or more; And
Described SQL statement storehouse in the pending SQL statement parsing and described access control rule is compared before, also comprise:
The described each pending SQL statement parsing is carried out after dynamic buffering, for each pending SQL statement, parse the action type of the entrained sql command of this pending SQL statement; And using the pending SQL statement that carries same operation type as one group of SQL sequence; And
Described SQL statement storehouse in the pending SQL statement parsing and described access control rule is compared, specifically comprises:
For every group of SQL sequence, according to set order, by the pending SQL statement in this group SQL sequence successively with described access control rule in SQL statement storehouse compare.
Preferably, described identification information is specially IP address; And
The described attribute information parsing from described data access request also comprises: the transport layer protocol between the port information in described request of data source, the port information of described target database server and described request of data source and described target database server.
According to another aspect of the present invention, also provide a kind of database security access control system, having comprised:
Data access request parsing module, for the data access request sending to target database server from request of data source, parse pending SQL statement, and parse the identification information of the identification information in described request of data source, described target database server as the attribute information of described data access request;
Access control rule enquiry module for according to the attribute information of the data access request of described data access request parsing module transmission, is searched the access control rule corresponding with described attribute information from access control rule storehouse;
SQL statement filtering module, the SQL statement storehouse of the access control rule finding out for pending SQL statement that described data access request parsing module is parsed and described access control rule enquiry module compares, and exports comparative result;
Safe access control module, for the comparative result of exporting according to described SQL statement filtering module, carry out the operation corresponding with described comparative result: if comparative result is: described pending SQL statement is the normal SQL statement in described SQL statement storehouse, described data access request is sent to described target database server; If comparative result is: described pending SQL statement is the illegal SQL statement in described SQL statement storehouse, block the access of described request of data source to described target database server.
Preferably, if described safe access control module for the comparative result receiving is also: described pending SQL statement is neither the normal SQL statement in described SQL statement storehouse, illegal SQL statement in neither described SQL statement storehouse, sends to keeper the information of differentiating SQL statement; And receive after the SQL statement differentiation indication information of described keeper's input, differentiate indication information according to described SQL statement, carry out corresponding operating:
If described SQL statement differentiation indication information is specially the differentiation indication information of normal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as normal SQL statement, and described data access request is sent to described target database server;
If described SQL statement differentiation indication information is specially the differentiation indication information of illegal SQL statement, be stored in described SQL statement storehouse described pending SQL statement as illegal SQL statement, and block the access of described request of data source to described target database server.
Preferably, described system also comprises:
Access control rule arranges module, be used for for each target database server, the access control rule that relates to this target database server is set in described access control rule storehouse: this target database server of request of data source access to(for) each permission, using the identification information in the identification information of this target database server and this request of data source after attribute information, this target database server is allowed to the SQL statement of carrying out for this request of data source, as the normal SQL statement in the SQL statement storehouse in should the access control rule of attribute information, this target database server is not allowed to the SQL statement of carrying out for this request of data source, as the illegal SQL statement in the SQL statement storehouse in should the access control rule of attribute information.
Preferably, the pending SQL statement that described data access request parsing module parses is one or more; And described system also comprises:
SQL statement grouping module, carries out after dynamic buffering for the each pending SQL statement that described data access request parsing module is parsed, and for each pending SQL statement, parses the action type of the entrained sql command of this pending SQL statement; And using the pending SQL statement that carries same operation type as one group of SQL sequence; And
The every group SQL sequence of described SQL statement filtering module specifically for determining for described SQL statement grouping module, according to the order of setting, the SQL statement storehouse in the access control rule that the pending SQL statement in this group SQL sequence is found out with described access control rule enquiry module successively compares.
Preferably, described identification information is specially IP address; And
Described data access request parsing module is specifically for the data access request sending from request of data source to target database server, parse pending Structured Query Language (SQL) SQL statement, and by the transport layer protocol between the port information of the IP address in the described request of data source further parsing, the port information in described request of data source, the IP address of described target database server, described target database server and described request of data source and described target database server, all as the attribute information of described data access request.
In the technical scheme of the embodiment of the present invention, by the data access request sending from request of data source to target database server, parse pending SQL statement, and the identification information of identification information, target database server that parses request of data source is as the attribute information of data access request; According to the attribute information of data access request, from access control rule storehouse, find out after the access control rule corresponding with attribute information, SQL statement storehouse in the pending SQL statement parsing and access control rule is compared, the SQL injection attacks that can carry out illegal sql command for spoofing server control effectively, and has strengthened the intensity of safe access control.
Embodiment
For making object of the present invention, technical scheme and advantage clearer, referring to accompanying drawing and enumerate preferred embodiment, the present invention is described in more detail.But, it should be noted that, many details of listing in instructions are only used to make reader to have a thorough understanding to one or more aspects of the present invention, even if do not have these specific details also can realize these aspects of the present invention.
The terms such as " module " used in this application, " system " are intended to comprise the entity relevant to computing machine, such as but not limited to hardware, firmware, combination thereof, software or executory software.For example, module can be, but be not limited in: thread, program and/or the computing machine of the process moved on processor, processor, object, executable program, execution.For instance, the application program of moving on computing equipment and this computing equipment can be modules.One or more modules can be positioned at an executory process and/or thread.
The present inventor's discovery, existing Database Systems are all to use SQL (Structured Query Language, Structured Query Language (SQL)) language to build substantially; And by the safe access control means of above-mentioned existing database, the statement that has potential safety hazard of user's input is not effectively isolated.Like this, user after by above-mentioned existing security control, still can be imported web application into as parameter and carries out SQL injection attacks by building special input; And these inputs are mostly some combinations in SQL grammer, by carrying out SQL statement and then carrying out the operation that assailant will carry out.That is to say, the main cause that Database Systems are subject to SQL injection attacks is the SQL statement in the data access request of user's input not to be analyzed.
Therefore, the present inventor considers, can stop or filter for the invasion information of carrying in the data access request of target access database, prevents the infiltration of malice SQL statement; Particularly, the SQL statement that can send data request source is carried out real time parsing, determines whether illegal SQL statement, and the SQL statement that has potential safety hazard is effectively isolated, and prevents SQL injection attacks.Compare and existingly cannot prevent SQL injection attacks, technical scheme provided by the invention, can strengthen the security control intensity of Database Systems.
In fact,, for different target database servers, each target database server has corresponding with it unique mark (such as IP address); For different request of data sources, each request of data source has corresponding with it mark (such as IP address); And the access between request of data source and target database server also relates to the transport layer protocol of default data access request.Therefore, further, the present inventor also considers, can carry out while access control to multinomial contents such as the transport layer protocols of the IP address of data request source, port and transmission data access request, prevent the malice access of abnormal access end, strengthen the security control intensity of Database Systems with this.
Describe technical scheme of the present invention in detail below in conjunction with accompanying drawing.
In the embodiment of the present invention, before carrying out the safe access control of database, need to set in advance access control rule storehouse.Particularly, can, for the each target database server in Database Systems, the access control rule that relates to this target database server be set in access control rule storehouse.Wherein, the method for the access control rule of this target database server is set, its idiographic flow as shown in Figure 1, can comprise the steps:
S101: for each target database server, count the identification information of this target database server and each permission and access request of data source and the identification information thereof of this target database server.
In fact, the each target database server in Database Systems has corresponding with it unique ip address.Therefore, the identification information of target database server can be specifically the IP address of this target database server.Particularly, the IP address of each target database server (also can be able to be called to target ip address herein) as identification information separately; Then,, for each identification information, count the some request of data source and the IP address (also can be called source IP address herein) thereof that allow the access target database server corresponding with this identification information; And for the each request of data source counting, the identification information using the IP address in this request of data source as this request of data source.
More preferably, can also be using other for the information of the distinguishing different target database server identification information as target database server together with target ip address.For example, can be using the port information of target database server (also can be called target port information herein) identification information as this target database server together with target ip address.Correspondingly, can be using other for the information of the distinguishing different pieces of information request source identification information as request of data source together with source IP address, for example, can be using the port information in request of data source (also can be called source port information herein) identification information as this request of data source together with source IP address.
S102: access the request of data source of this target database server for each permission, using the identification information in the identification information of this target database server and this request of data source as attribute information.
Particularly, for each target database server, access behind each request of data source of this target database server the attribute information of the data access request that the identification information of the identification information in this request of data source, this target database server can be sent to this target database server as this request of data source in the permission being counted by step S101.For example, can be for each request of data source, the attribute information of the data access request that the target ip address of the source IP address in this request of data source, target database server is sent to this target database server as this request of data source.The attribute information of the data access request that more preferably, the target ip address of the source IP address in this request of data source, source port information, target database server, target port information can also be sent to this target database server as this request of data source.
In practical application, request of data source is in the process to the access of database server request for data, its data access request sending to this database server need be transmitted by default transport layer protocol, prevents that request of data source from transmitting data access request by other improper transport layer protocols and causing unauthorized access.Therefore, as a kind of more excellent embodiment, before step S102, for each target database server, access each request of data source of this target database server for the permission counting, can also count the transport layer protocol that allows transmission data access request between this request of data source and this target database server.And the attribute information of the data access request that transport layer protocol, source IP address, source port information, target ip address, the target port information of permission transmission data access request sends to this target database server as this request of data source between this request of data source and this target database server.Wherein, the transport layer protocol counting can be specifically transport layer protocol number.In practical application, the attribute information of the data access request that request of data source sends to target database server specifically can comprise: source IP address, source port information, target ip address, target port information, transport layer protocol number.
S103: the attribute information of the data access request sending to this target database server according to this request of data source, counts this target database server and allow the SQL statement of carrying out and do not allow the SQL statement of carrying out for this request of data source.
Particularly, for each target database server, access each request of data source of this target database server for the permission being counted by step S101, the attribute information of the data access request sending to this target database server according to this request of data source, from the database access daily record of target database server, determine and meet this target database server in this attribute information situation and allow the SQL statement of carrying out for this request of data source, and this target database server does not allow the SQL statement of carrying out for this request of data source.
S104: the normal SQL statement of the SQL statement that above-mentioned permission is carried out in the SQL statement storehouse in should the access control rule of attribute information, and by the above-mentioned SQL statement carried out of not allowing, as the illegal SQL statement in the SQL statement storehouse in should the access control rule of attribute information.
Particularly, the SQL statement storehouse in the access control rule corresponding with this attribute information specifically comprises: normal SQL statement storehouse and illegal SQL statement storehouse; And entrained SQL statement specifically can comprise in data access request: this target database server allows the SQL statement of carrying out and do not allow the SQL statement of carrying out for this request of data source.Therefore, can allow the SQL statement of carrying out to be stored in the normal SQL statement storehouse in the access control rule corresponding with this attribute information as normal SQL statement for this request of data source this target database server; .Meanwhile, can not allow the SQL statement of carrying out to be stored in the illegal SQL statement storehouse in the access control rule corresponding with this attribute information as illegal SQL statement for this request of data source this target database server.More preferably, the non-attack SQL statement that those skilled in the art can also be generally acknowledged is stored in normal SQL statement storehouse as normal SQL statement, and the attack SQL statement that those skilled in the art are generally acknowledged is stored in illegal SQL statement storehouse as illegal SQL statement.
In practical application, no matter be normal SQL statement or illegal SQL statement, its entrained sql command specifically comprises: action type and operand.Wherein, operand is specifically as follows database table, database table column or database.Correspondingly, action type is specifically as follows: " SELECT " (obtaining data from database table), " UPDATE " (upgrading the data in database table), " DELETE " (deleting data from database table), " INSERT INTO " (to database table in data inserting), " CREATE DATABASE " (creating new database), " ALTER DATABASE " (being Update Table storehouse), " CREATE TABLE " (being creation database table), " ALTER TABLE " (changing database table), or " DROP TABLE " (being delete database table) etc.
In fact, the access control rule corresponding with attribute information be actually to this attribute information in request of data source corresponding to source IP address allow action type and the operand of carrying out and do not allow action type and the operand carried out to limit.For example, under the condition that meets this attribute information, the request of data source corresponding with source IP address in this attribute information allows the action type of carrying out to comprise: " SELECT " and " UPDATE ", and do not allow the action type of carrying out to comprise: and " UPDATE " and " DELETE "; And for action type " SELECT ", it allows the operand of access is all database tables; And for action type " UPDATE ", its operand that allows access is the database table " tb_user_info " of specifying, the operand of its disable access is all operations object except database table " tb_user_info ".
Based on the above-mentioned access control rule storehouse setting in advance, the embodiment of the present invention provides a kind of database security access control system, and this system is carried out the method for database security access control, and idiographic flow as shown in Figure 2, can comprise the steps:
S201: receive request of data source after the data access request of target database server transmission, parse the identification information in request of data source, identification information and the pending SQL statement of target database server from the data access request receiving.
Particularly, database security access control system is receiving after the data access request that request of data source sends to target database server, can therefrom parse identification information and the pending SQL statement of identification information and the target database server to be visited in request of data source.Wherein, the identification information in request of data source is specifically as follows source IP address; The identification information of target database server is specially target ip address.In practical application, can also from the data access request receiving, parse the transport layer protocol that allows to transmit data access request between the target port information of source port information, target database server in request of data source and request of data source and target database server.
S202: the attribute information using the identification information of the identification information in the request of data source parsing, target database server as the data access request receiving.
More preferably, database security access control system can also allow the attribute information of the transport layer protocol of transmission data access request and the common data access request as reception of identification information of the identification information in the request of data source that parses, target database server between the source port information parsing, target port information and request of data source and target database server.
S203: according to the attribute information of data access request, search the access control rule corresponding with the attribute information of data access request from access control rule storehouse; If find, perform step S204; Otherwise, execution step S206.
Particularly, database security access control system can be according to the attribute information of data access request, from the access control rule storehouse setting in advance, search the access control rule that whether exists while and the information such as source IP address, target ip address in attribute information to match, i.e. the access control rule corresponding with this attribute information.If find, perform step S204; Otherwise, execution step S206, the access of blocking-up request of data source to target database server.
In practical application, in the time that the attribute information of data access request has comprised source IP address, source port information, target ip address, target port information and transport layer protocol, can be from the access control rule storehouse setting in advance, search the access control rule that whether exists while and source IP address, source port information, target ip address, target port information and transport layer protocol to match, if exist, perform step S204; Otherwise, execution step S206, the access of blocking-up request of data source to target database server.
Particularly, database security access control system can be first according to the target ip address in attribute information and source IP address, from the access control rule storehouse setting in advance, search the access control rule that whether exists while and target ip address, source IP address to match, if do not exist, perform step S206; Otherwise, from the some access control rule that match with target ip address, source IP address that find out, continue to search and whether exist simultaneously and access control rule that source port information, target port information match, if do not exist, perform step S206; Otherwise, from the some access control rule that match with source port information, target port information that find out, continue to search whether have the access control rule matching with host-host protocol, if exist, perform step S204; Otherwise, execution step S206, the access of blocking-up request of data source to target database server.Like this, filter out the access control rule matching with the attribute information of data access request by step S203, define and only have the transmission rule having configured in access control rule could be by above-mentioned multi-level safety access control, prevent the access of invalid data request source and the unauthorized access in legal request of data source.
S204: the pending SQL statement parsing and the SQL statement storehouse in the access control rule finding out are compared, if pending SQL statement is the normal SQL statement in SQL statement storehouse, perform step S205; Otherwise, execution step S206.
Particularly, in the corresponding access control rule of the attribute information of data access request that finds out by step S203 and receive, store the SQL statement storehouse corresponding with this attribute information; And the SQL statement storehouse corresponding with this attribute information comprises: store the normal SQL statement storehouse of several normal SQL statement and store the illegal SQL statement storehouse of several illegal SQL statement.Therefore, can by the pending SQL statement parsing respectively with the access control rule finding out in normal SQL statement storehouse in normal SQL statement and the illegal SQL statement in illegal SQL statement storehouse compare.In practical application, can be by entrained the pending SQL statement parsing operand and action type thereof, successively with SQL statement storehouse in the entrained operand of each normal SQL statement and action type and entrained operand and the action type thereof of each illegal SQL statement compare.
If comparative result is: pending SQL statement is the normal SQL statement in normal SQL statement storehouse, performs step S205.
If comparative result is: pending SQL statement is the illegal SQL statement in illegal SQL statement storehouse, performs step S206, the access of blocking-up request of data source to target database server.
If comparative result is: pending SQL statement is neither the normal SQL statement in normal SQL statement storehouse, and illegally the illegal SQL statement in SQL statement storehouse, performs step S206, blocks the access of request of data source to target database server.
More preferably, in the embodiment of the present invention, in order to strengthen the intensity of database security access control, can also the SQL statement storehouse in access control rule be supplemented and be upgraded.Particularly, be: pending SQL statement is neither the normal SQL statement in normal SQL statement storehouse illegally when the illegal SQL statement in SQL statement storehouse, can further send the information of differentiation SQL statement to keeper at comparative result.Like this, keeper can judge that pending SQL statement is whether for target database server allows the SQL statement of carrying out for this request of data source according to information, and if so, keeper can input the differentiation indication information of normal SQL statement; Otherwise while judging pending SQL statement and be the SQL statement that target database server do not allow to carry out for this request of data source, keeper can input the differentiation indication information of illegal SQL statement.Wherein, the information of differentiating SQL statement specifically can adopt the conventional technological means of those skilled in the art to send, and for example, can send or feed back to keeper by display interface with the form of mail.
Then, the SQL statement that receives keeper's input is differentiated after indication information, can differentiate indication information according to the SQL statement receiving, and carries out corresponding operating.Particularly, if SQL statement differentiation indication information is specially the differentiation indication information of normal SQL statement, can be stored in the SQL statement storehouse in the access control rule finding out pending SQL statement as normal SQL statement, and performs step S205.If SQL statement differentiation indication information is specially the differentiation indication information of illegal SQL statement, pending SQL statement can be stored in SQL statement storehouse as illegal SQL statement, and performs step S206.
In practical application, the pending SQL statement parsing in the data access request that request of data source sends to target database server may be one, may be also multiple.Therefore, in order to improve the processing speed of safe access control, as a kind of more excellent embodiment, in the embodiment of the present invention, can, at execution step S204, before the pending SQL statement parsing and the SQL statement storehouse in the access control rule finding out are compared, the each pending SQL statement parsing be carried out after dynamic buffering, for each pending SQL statement, parse the action type of the entrained sql command of this pending SQL statement; And using the pending SQL statement that carries same operation type as one group of SQL sequence.For example, can carry out packet transaction in the mode of storehouse for the pending SQL statement of same operation type, obtain amendment grouping, delete grouping etc.Then, for every group of SQL sequence, can according to set order, by the pending SQL statement in this group SQL sequence successively with described access control rule in SQL statement storehouse compare.For example, for the each pending SQL statement in this grouping, with the strategy of first in first out, by the pending SQL statement in this grouping successively with the access control rule finding out in SQL statement storehouse compare, obtain comparative result.
Step S205: data access request is sent to target database server.
Step S206: the access of blocking-up request of data source to target database server.
In the embodiment of the present invention, about how data access request being sent to target database server, and how to block request of data source and all can adopt the conventional technological means of those skilled in the art to the access of target database server, do not repeat them here.
In the embodiment of the present invention, about above-mentioned database security access control system, its inner structure as shown in Figure 3, specifically can comprise: data access request parsing module 301, access control rule enquiry module 302, SQL statement filtering module 303, safe access control module 304.
Wherein, the data access request of data access request parsing module 301 for sending to target database server from request of data source, parse pending SQL statement, and the identification information of identification information, target database server that parses request of data source is as the attribute information of this data access request.
Wherein, the identification information in request of data source is specifically as follows the IP address in request of data source; The identification information of target database server is specifically as follows the IP address of target database server.
Particularly, the data access request that data access request parsing module sends from request of data source to target database server, parse pending Structured Query Language (SQL) SQL statement, and by the transport layer protocol between the port information of the IP address of the port information in the IP address in the request of data source further parsing, request of data source, target database server, target database server and request of data source and described target database server, all as the attribute information of data access request.
Access control rule enquiry module 302, for the attribute information of the data access request that sends according to data access request parsing module 301, is searched the access control rule corresponding with this attribute information from access control rule storehouse.
The SQL statement storehouse of the access control rule that SQL statement filtering module 303 finds out for pending SQL statement that data access request parsing module 301 is parsed and access control rule enquiry module 302 compares, and exports comparative result.
The comparative result of safe access control module 304 for exporting according to SQL statement filtering module 303, carries out the operation corresponding with this comparative result.
If comparative result is: pending SQL statement is the normal SQL statement in SQL statement storehouse, data access request is sent to target database server.
If comparative result is: pending SQL statement is the illegal SQL statement in SQL statement storehouse, block the access of described request of data source to described target database server.
If comparative result is: pending SQL statement is neither the normal SQL statement in SQL statement storehouse, the illegal SQL statement in neither SQL statement storehouse, sends to keeper the information of differentiating SQL statement; And receive after the SQL statement differentiation indication information of described keeper's input, differentiate indication information according to described SQL statement, carry out corresponding operating.
Particularly, if SQL statement differentiation indication information is specially the differentiation indication information of normal SQL statement, pending SQL statement is stored in SQL statement storehouse as normal SQL statement, and data access request is sent to target database server.If SQL statement differentiation indication information is specially the differentiation indication information of illegal SQL statement, pending SQL statement is stored in SQL statement storehouse as illegal SQL statement, and blocks the access of request of data source to target database server.
In the embodiment of the present invention, the access control rule storehouse in access control rule enquiry module 302 sets in advance.Therefore, more preferably, above-mentioned database security access control system also comprises: access control rule arranges module 305.
Access control rule arranges module 305 for for each target database server, and the access control rule that relates to this target database server is set in access control rule storehouse.Particularly, access the request of data source of this target database server for each permission, using the identification information in the identification information of this target database server and this request of data source after attribute information, this target database server is allowed to the SQL statement of carrying out for this request of data source, as the normal SQL statement in the SQL statement storehouse in should the access control rule of attribute information; This target database server is not allowed to the SQL statement of carrying out for this request of data source, as the illegal SQL statement in the SQL statement storehouse in should the access control rule of attribute information.
In practical application, the pending SQL statement that data access request parsing module 301 parses may be one, may be also multiple.Therefore, more preferably, in the embodiment of the present invention, above-mentioned database security access control system also comprises: SQL statement grouping module (not indicating in the drawings).
SQL statement grouping module is carried out after dynamic buffering for the each pending SQL statement that data access request parsing module 301 is parsed, and for each pending SQL statement, parses the action type of the entrained sql command of this pending SQL statement; And using the pending SQL statement that carries same operation type as one group of SQL sequence.Then, every group of SQL sequence that SQL statement filtering module 303 can be determined for SQL statement grouping module, according to the order of setting, the SQL statement storehouse in the access control rule that the pending SQL statement in this group SQL sequence is found out with access control rule enquiry module 302 successively compares.
In the invention process, the data access request specifically how data request source being sent about the each module in database security access control system is carried out security control, can, with reference to the idiographic flow of above-mentioned database security access control method, be not described in detail in this.
In technical scheme of the present invention, by the data access request sending from request of data source to target database server, parse pending SQL statement, and the identification information of identification information, target database server that parses request of data source is as the attribute information of data access request; According to the attribute information of data access request, from access control rule storehouse, find out after the access control rule corresponding with attribute information, SQL statement storehouse in the pending SQL statement parsing and access control rule is compared, the SQL injection attacks that can carry out illegal sql command for spoofing server control effectively, and has strengthened the intensity of safe access control.
One of ordinary skill in the art will appreciate that all or part of step realizing in above-described embodiment method is can carry out the hardware that instruction is relevant by program to complete, this program can be stored in a computer read/write memory medium, as: ROM/RAM, magnetic disc, CD etc.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the premise without departing from the principles of the invention; can also make some improvements and modifications, these improvements and modifications also should be considered as protection scope of the present invention.