CN113641702A - Method and device for interactive processing with database client after statement audit - Google Patents
Method and device for interactive processing with database client after statement audit Download PDFInfo
- Publication number
- CN113641702A CN113641702A CN202111206878.7A CN202111206878A CN113641702A CN 113641702 A CN113641702 A CN 113641702A CN 202111206878 A CN202111206878 A CN 202111206878A CN 113641702 A CN113641702 A CN 113641702A
- Authority
- CN
- China
- Prior art keywords
- statement
- script
- execution password
- database client
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method and a device for interactive processing with a database client after statement audit, wherein the method comprises the following steps: intercepting the statement sent to the database client; auditing the intercepted statement; after the statement is audited, adding an execution password to the audited statement; and sending the statement after the execution password is added to a database client, wherein the database client needs to execute the statement by using the execution password after the execution password is added to the statement. By the method and the device, the problem that whether the executed statement of the database client is audited or not can not be determined by the database client in the prior art is solved, so that the executable password is added to the statement sent to the database client, and the safety of the client is improved.
Description
Technical Field
The application relates to the field of databases, in particular to a method and a device for interactive processing with a database client after statement audit.
Background
The database auditing system is mainly used for auditing various operation behaviors on the database server, acquiring network messages of the database server in a bypass mirror image or plug-in installation mode, and then extracting SQL statements in the messages and storing the SQL statements in a database of the database auditing system so as to carry out operations of inquiry, filtering, analysis and the like in the following process, thereby realizing the monitoring and auditing of the database server.
In the prior art, generally, the SQL statement needs to be audited, and the auditing is performed on the SQL statement between the SQL statement and the database client.
For a database client, it cannot determine whether the SQL statements it executes are audited. If the executed audited SQL statements are safe for the database client, otherwise potential safety hazards can be brought. If the database receives a script, it is important to determine if the script has been audited.
Disclosure of Invention
The embodiment of the application provides a method and a device for interactive processing with a database client after statement auditing, so as to solve at least the problem that in the prior art, the database client cannot determine whether the executed statement is audited.
According to one aspect of the application, a method for processing interaction with a database client after statement audit is provided, which includes: intercepting the statement sent to the database client; auditing the intercepted statement; after the statement is audited, adding an execution password to the audited statement; and sending the statement after the execution password is added to a database client, wherein the database client needs to execute the statement by using the execution password after the execution password is added to the statement.
Further, intercepting the statement sent to the database client, and auditing the intercepted statement comprises: intercepting a script, wherein the script comprises a plurality of statements; splitting a plurality of sentences in the script to obtain each sentence; and auditing each statement obtained by splitting.
Further, adding the execution password to the audited statement comprises: and adding one execution password to the script, wherein each statement in the script is executed by the database client by using the same execution password.
Further, adding the execution password to the audited statement comprises: acquiring request information, wherein the request information is used for requesting to add an execution password to the script or adding the execution password to a statement in the script; and adding the execution password to the script or statement corresponding to the request information.
Further, adding the execution password to the script or the sentence corresponding to the request information includes: examining and approving the request corresponding to the request information; and under the condition of passing the examination and approval, adding the execution password for the script or the sentence corresponding to the request information.
According to another aspect of the present application, there is also provided an apparatus for interacting with a database client after statement audit, including: the intercepting module is used for intercepting the sentences sent to the database client; the audit module is used for auditing the intercepted sentences; the increasing module is used for increasing an execution password to the audited statement after the statement is audited; and the sending module is used for sending the statement after the execution password is added to the database client, wherein the database client needs to execute the statement by using the execution password after the execution password is added to the statement.
Further, the intercepting module is configured to intercept a script, where the script includes a plurality of statements; the auditing module is used for splitting a plurality of sentences in the script to obtain each sentence, and auditing each sentence obtained by splitting.
Further, the adding module is configured to: and adding one execution password to the script, wherein each statement in the script is executed by the database client by using the same execution password.
Further, the adding module is configured to: acquiring request information, wherein the request information is used for requesting to add an execution password to the script or adding the execution password to a statement in the script; and adding the execution password to the script or statement corresponding to the request information.
Further, the adding module is configured to: examining and approving the request corresponding to the request information; and under the condition of passing the examination and approval, adding the execution password for the script or the sentence corresponding to the request information.
In the embodiment of the application, intercepting the statement sent to the database client; auditing the intercepted statement; after the statement is audited, adding an execution password to the audited statement; and sending the statement after the execution password is added to a database client, wherein the database client needs to execute the statement by using the execution password after the execution password is added to the statement. By the method and the device, the problem that whether the executed statement of the database client is audited or not can not be determined by the database client in the prior art is solved, so that the executable password is added to the statement sent to the database client, and the safety of the client is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments of the application and, together with the description, serve to explain the application and are not intended to limit the application. In the drawings:
fig. 1 is a flowchart of a method for processing interaction with a database client after statement audit according to an embodiment of the present application.
Detailed Description
It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict. The present application will be described in detail below with reference to the embodiments with reference to the attached drawings.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
In this embodiment, a method for processing interaction with a database client after statement audit is provided, and fig. 1 is a flowchart of a method for processing interaction with a database client after statement audit according to an embodiment of the present application, as shown in fig. 1, the flowchart includes the following steps:
step S102, intercepting the statement sent to the database client;
step S104, auditing the intercepted statement;
step S106, after the statement is audited, adding an execution password to the audited statement;
step S108, the statement after the execution password is added is sent to the database client, wherein after the execution password is added to the statement, the database client needs to execute the statement by using the execution password.
Through the steps, after the database client receives the statement, if the statement is configured with the execution password, the statement is audited, and the problem that whether the statement executed by the database client is audited or not cannot be determined by the database client in the prior art is solved, so that the executable password is added to the statement sent to the database client, and the safety of the client is improved.
In an optional additional embodiment, if the sentence intercepted in step S102 originally carries the execution password, the execution password carried in the sentence is deleted, after the sentence after the execution password is deleted is audited, a new execution password is added in step S106, the new execution password sets an identification character with a predetermined number corresponding to the database client in a predetermined position, and after the execution password with the identification character is added to the audited sentence, the execution password with the identification character is used for indicating that the sentence is audited.
As another optional added embodiment, after an intercepted (or called intercepted) script or statement is audited, and it is determined that the script or statement has an execution time requirement, an execution password is added to the script or statement, where the execution password includes characters indicating an execution priority, and after receiving the script or statement, the database client acquires the execution password, and preferentially executes the script or statement in a case where the execution password carries the characters indicating the execution priority.
As another optional added embodiment, after auditing the intercepted statement, determining that the intercepted statement is a risk statement, where the risk statement is used to indicate that execution of the statement may generate a risk on security of a database, and adding an execution password to the risk statement, where the execution password includes characters used to indicate a risk level, and after receiving the risk statement, the database client obtains the execution password, and in a case where the execution password carries the characters used to indicate the risk level, determines whether to execute the risk statement according to the risk level indicated by the characters and a security policy configured by the database client.
The statement can be sent in a script mode, at the moment, the script is intercepted, wherein the script comprises a plurality of statements; splitting a plurality of sentences in the script to obtain each sentence; and auditing each statement obtained by splitting.
In an alternative embodiment, adding the execution password to the audited statement comprises: acquiring request information, wherein the request information is used for requesting to add an execution password to the script or adding the execution password to a statement in the script; and adding the execution password to the script or statement corresponding to the request information.
An approval function can be added to approve the request corresponding to the request information; and under the condition of passing the examination and approval, adding the execution password for the script or the sentence corresponding to the request information.
In the present embodiment, script approval is involved. And the script examination and approval is used for examining and approving the script in the operation and maintenance link so as to control the access of the script to the sensitive data. And the script is approved before being sent to the client. And adding the executable password after the approval is passed, and sending the script added with the executable password to the database client.
The database client executes the script by splitting the script into sentences. In this embodiment, the script may be split into sentences.
There are many ways to split, for example, splitting according to a special symbol (e.g., a semicolon) of a script. Or, in the case that there is no special symbol in the script, the script can be regarded as an SQL statement block, and then the SQL statement block is split. The resolution method can be as follows: acquiring an SQL statement block, wherein the SQL statement block comprises a plurality of SQL statements; searching keywords from the SQL statement block, wherein the keywords are configured in advance, the keywords are SQL commands, and the command statement where the keywords are located may have risks when being executed in a database; after the keywords are searched in the SQL sentences, the SQL sentences in which the keywords are located are obtained from the sentence blocks according to the keywords; extracting the SQL sentence in which the keyword is located from the sentence block; and analyzing the extracted SQL statement, wherein the analysis is used for determining the risk generated when the SQL statement is executed in the database. Optionally, the number of the keywords is multiple, the SQL statements are searched according to each keyword, and in the case of the search, the SQL statement where each searched keyword is located is extracted from the SQL statement block, and each extracted SQL statement is analyzed. Optionally, the result of analyzing each SQL statement may also be obtained; and summarizing the result corresponding to each SQL statement into a result set for analyzing the SQL statement.
In the splitting method, the SQL statement where the keyword is located can be obtained from the statement block according to the SQL syntax feature corresponding to the keyword. The extracted SQL statements may also be analyzed according to preconfigured rules.
After splitting, each statement may be calculated according to a template, where each template is used to identify a type of an SQL statement, and if the similarity to the template exceeds a threshold, the type of the statement is the type indicated by the template. Types are distinguished according to the role of the SQL statement, e.g., all query statements are of a type, all statements updating data are of a type, and so on.
After passing the entire basic approval, the entire script is given an execution password, which indicates that the database uses the execution password in executing each statement in the script. Or an execution password may be assigned to a statement or statements, i.e. different statements in the script may have different execution passwords. As a preferred embodiment, after the statements are classified according to the template, different execution passwords may be assigned according to different classifications.
After the execution password is distributed, the script with the execution password is sent to the database client, the client judges that the received script has the execution password, the script is audited, and the database client executes the script by using the execution password.
In this embodiment, an electronic device is provided, comprising a memory in which a computer program is stored and a processor configured to run the computer program to perform the method in the above embodiments.
The programs described above may be run on a processor or may also be stored in memory (or referred to as computer-readable media), which includes both non-transitory and non-transitory, removable and non-removable media, that implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
These computer programs may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks, and corresponding steps may be implemented by different modules.
In this embodiment, an apparatus, called a statement audited interaction processing apparatus with a database client, is provided, including: the intercepting module is used for intercepting the sentences sent to the database client; the audit module is used for auditing the intercepted sentences; the increasing module is used for increasing an execution password to the audited statement after the statement is audited; and the sending module is used for sending the statement after the execution password is added to the database client, wherein the database client needs to execute the statement by using the execution password after the execution password is added to the statement.
The apparatus is configured to implement the functions of the method in the foregoing method embodiment, and each module in the apparatus corresponds to each step in the foregoing method, which has been described in the foregoing embodiment and is not described herein again.
For example, the intercepting module is configured to intercept a script, where the script includes a plurality of statements; the auditing module is used for splitting a plurality of sentences in the script to obtain each sentence, and auditing each sentence obtained by splitting.
For example, the adding module is configured to: acquiring request information, wherein the request information is used for requesting to add an execution password to the script or adding the execution password to a statement in the script; and adding the execution password to the script or statement corresponding to the request information.
The adding module is used for: examining and approving the request corresponding to the request information; and under the condition of passing the examination and approval, adding the execution password for the script or the sentence corresponding to the request information.
The embodiment solves the problem that the database client side in the prior art can not determine whether the executed statement is audited or not, so that the executable password is added to the statement sent to the database client side, and the safety of the client side is improved.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A method for interactive processing with a database client after statement audit is characterized by comprising the following steps:
intercepting the statement sent to the database client;
auditing the intercepted statement;
after the statement is audited, adding an execution password to the audited statement;
and sending the statement after the execution password is added to a database client, wherein the database client needs to execute the statement by using the execution password after the execution password is added to the statement.
2. The method of claim 1, wherein intercepting the statement sent to the database client and auditing the intercepted statement comprises:
intercepting a script, wherein the script comprises a plurality of statements;
splitting a plurality of sentences in the script to obtain each sentence;
and auditing each statement obtained by splitting.
3. The method of claim 2, wherein adding the execution password to the audited statement comprises:
and adding one execution password to the script, wherein each statement in the script is executed by the database client by using the same execution password.
4. The method of any of claims 1 to 3, wherein adding the execution password to the audited statement comprises:
acquiring request information, wherein the request information is used for requesting to add an execution password to the script or adding the execution password to a statement in the script;
and adding the execution password to the script or statement corresponding to the request information.
5. The method of claim 4, wherein adding the execution password to the script or statement corresponding to the request message comprises:
examining and approving the request corresponding to the request information;
and under the condition of passing the examination and approval, adding the execution password for the script or the sentence corresponding to the request information.
6. The utility model provides a sentence is interactive processing apparatus with database client after audit which characterized in that includes:
the intercepting module is used for intercepting the sentences sent to the database client;
the audit module is used for auditing the intercepted sentences;
the increasing module is used for increasing an execution password to the audited statement after the statement is audited;
and the sending module is used for sending the statement after the execution password is added to the database client, wherein the database client needs to execute the statement by using the execution password after the execution password is added to the statement.
7. The apparatus of claim 6,
the intercepting module is used for intercepting a script, wherein the script comprises a plurality of statements;
the auditing module is used for splitting a plurality of sentences in the script to obtain each sentence, and auditing each sentence obtained by splitting.
8. The apparatus of claim 7, wherein the increasing means is configured to:
and adding one execution password to the script, wherein each statement in the script is executed by the database client by using the same execution password.
9. The apparatus of any one of claims 6 to 8, wherein the adding module is configured to:
acquiring request information, wherein the request information is used for requesting to add an execution password to the script or adding the execution password to a statement in the script;
and adding the execution password to the script or statement corresponding to the request information.
10. The apparatus of claim 9, wherein the increasing means is configured to:
examining and approving the request corresponding to the request information;
and under the condition of passing the examination and approval, adding the execution password for the script or the sentence corresponding to the request information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111206878.7A CN113641702B (en) | 2021-10-18 | 2021-10-18 | Method and device for interactive processing with database client after statement audit |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111206878.7A CN113641702B (en) | 2021-10-18 | 2021-10-18 | Method and device for interactive processing with database client after statement audit |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113641702A true CN113641702A (en) | 2021-11-12 |
| CN113641702B CN113641702B (en) | 2022-02-22 |
Family
ID=78427150
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111206878.7A Active CN113641702B (en) | 2021-10-18 | 2021-10-18 | Method and device for interactive processing with database client after statement audit |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113641702B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114860619A (en) * | 2022-07-07 | 2022-08-05 | 北京安华金和科技有限公司 | Database audit program regression testing method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060041547A1 (en) * | 2004-08-17 | 2006-02-23 | Robert Karch | Business intelligence monitoring tool |
| CN104090941A (en) * | 2014-06-30 | 2014-10-08 | 江苏华大天益电力科技有限公司 | Database auditing system and database auditing method |
| CN107992766A (en) * | 2017-11-29 | 2018-05-04 | 北京安华金和科技有限公司 | A kind of multiple statement audit and control method based on SQLServer databases |
| CN109977689A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团广东有限公司 | A kind of Method of Database Secure Audit method, apparatus and electronic equipment |
| CN110851461A (en) * | 2019-10-31 | 2020-02-28 | 深信服科技股份有限公司 | Method and device for auditing non-relational database and storage medium |
| CN110941632A (en) * | 2019-11-19 | 2020-03-31 | 杭州迪普科技股份有限公司 | Database auditing method, device and equipment |
| CN113158226A (en) * | 2021-03-05 | 2021-07-23 | 北京中安星云软件技术有限公司 | Method and system for realizing postGreSQL database audit based on SSL connection |
-
2021
- 2021-10-18 CN CN202111206878.7A patent/CN113641702B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060041547A1 (en) * | 2004-08-17 | 2006-02-23 | Robert Karch | Business intelligence monitoring tool |
| CN104090941A (en) * | 2014-06-30 | 2014-10-08 | 江苏华大天益电力科技有限公司 | Database auditing system and database auditing method |
| CN107992766A (en) * | 2017-11-29 | 2018-05-04 | 北京安华金和科技有限公司 | A kind of multiple statement audit and control method based on SQLServer databases |
| CN109977689A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团广东有限公司 | A kind of Method of Database Secure Audit method, apparatus and electronic equipment |
| CN110851461A (en) * | 2019-10-31 | 2020-02-28 | 深信服科技股份有限公司 | Method and device for auditing non-relational database and storage medium |
| CN110941632A (en) * | 2019-11-19 | 2020-03-31 | 杭州迪普科技股份有限公司 | Database auditing method, device and equipment |
| CN113158226A (en) * | 2021-03-05 | 2021-07-23 | 北京中安星云软件技术有限公司 | Method and system for realizing postGreSQL database audit based on SSL connection |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114860619A (en) * | 2022-07-07 | 2022-08-05 | 北京安华金和科技有限公司 | Database audit program regression testing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113641702B (en) | 2022-02-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102071160B1 (en) | Application Information Methods and Devices for Risk Management | |
| CN110213207B (en) | Network security defense method and equipment based on log analysis | |
| CN109800258B (en) | Data file deployment method, device, computer equipment and storage medium | |
| US11030203B2 (en) | Machine learning detection of database injection attacks | |
| US20210182031A1 (en) | Methods and apparatus for automatic detection of software bugs | |
| CN110909363A (en) | Software third-party component vulnerability emergency response system and method based on big data | |
| EA038063B1 (en) | Intelligent control system for cyberthreats | |
| CN113326247B (en) | Cloud data migration method and device and electronic equipment | |
| CN112511546A (en) | Vulnerability scanning method, device, equipment and storage medium based on log analysis | |
| CN112000992B (en) | Data leakage prevention protection method and device, computer readable medium and electronic equipment | |
| CN112799722A (en) | Command recognition method, device, equipment and storage medium | |
| CN112688966A (en) | Webshell detection method, device, medium and equipment | |
| CN113641702B (en) | Method and device for interactive processing with database client after statement audit | |
| KR101228902B1 (en) | Cloud Computing-Based System for Supporting Analysis of Malicious Code | |
| CN106529281A (en) | Executable file processing method and device | |
| CN116719907B (en) | Data processing method, device, equipment and storage medium | |
| CN116610567A (en) | Early warning method and device for abnormal application program, processor and electronic equipment | |
| CN116821903A (en) | Detection rule determination and malicious binary file detection method, device and medium | |
| CN115080827A (en) | Sensitive data processing method and device | |
| CN113626807A (en) | Big data-based computer information security processing method and system | |
| CN113392016A (en) | Protocol generation method, device, equipment and medium for processing program abnormal condition | |
| CN117725623B (en) | Data desensitization processing method and system based on database bottom file | |
| KR102623432B1 (en) | Apparatus and method for collecting meta information related to malicious code | |
| CN114254081B (en) | Enterprise big data search system, method and electronic equipment | |
| CN113742371B (en) | SQL statement block analysis processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |