CN114547697A - Method, system and storage medium for obtaining user information for accessing SQL database - Google Patents

Method, system and storage medium for obtaining user information for accessing SQL database Download PDF

Info

Publication number
CN114547697A
CN114547697A CN202210453116.5A CN202210453116A CN114547697A CN 114547697 A CN114547697 A CN 114547697A CN 202210453116 A CN202210453116 A CN 202210453116A CN 114547697 A CN114547697 A CN 114547697A
Authority
CN
China
Prior art keywords
sql
user information
database
request
character string
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210453116.5A
Other languages
Chinese (zh)
Inventor
白岩
梁志勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Origin Shuan Technology Co ltd
Original Assignee
Beijing Origin Shuan Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Origin Shuan Technology Co ltd filed Critical Beijing Origin Shuan Technology Co ltd
Priority to CN202210453116.5A priority Critical patent/CN114547697A/en
Publication of CN114547697A publication Critical patent/CN114547697A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Abstract

The invention provides a method, a system and a storage medium for obtaining user information for accessing an SQL database, wherein the method comprises the following steps: acquiring user information in a request from a client to a WEB server based on a HOOK program; the user information comprises a user name, an IP address and a URL address; storing the acquired user information in a local variable; injecting a HOOK program into a database driver, and monitoring and intercepting an SQL request sent from a WEB server side to a database server side by using the HOOK program to obtain an original SQL character string; acquiring the user information from the local variables, generating an annotation character string, and adding the annotation character string to the SQL character string in an annotation form; monitoring SQL flow in the SQL access process based on a flow monitoring module, and extracting the user information from the monitored SQL flow. The invention can improve the identification accuracy of the user information accessing the SQL database and save the performance expense of the database auditing system.

Description

Method, system and storage medium for obtaining user information for accessing SQL database
Technical Field
The invention relates to the technical field of computers, in particular to a method, a system and a storage medium for acquiring user information for accessing an SQL database.
Background
In the modern B/S (Web application) architecture, three modules, a user browser, a Web server, and a database server, are divided into three layers. As shown in fig. 1, a user first accesses a URL of a Web server through a browser, and a Web server application initiates an SQL query to a database according to the user's operation, in which the user is equivalent to indirectly manipulating the database SQL through the Web server. In the database audit product, a necessary capability is to support the recording of the full amount of information for the SQL access database, the information includes the real user information used for generating the SQL request, that is, the user information used for the user to access the Web server, and the user information includes: client IP address, Web application user account. Traditional traffic-based database auditing products need to support the recording of database SQL operations and can capture the actual initiating user that triggered the SQL operations. Typically, however, users access the Web server using their respective Web application accounts, and Web server programs access the database using a unified database account number. Because the user account, the IP, and the like received by the database server are all initiated by the Web server, the source of each SQL statement in the database server cannot be traced back to the user browser. As shown in fig. 2, the SQL request for the user to log in the Web application and the Web application is an operation of two independent systems, and thus it is technically difficult to identify the real application user by associating the two.
As shown in fig. 3, in a conventional database auditing system based on traffic, it is necessary to monitor both traffic of a user accessing Web and database SQL access traffic, and dynamically associate "URL request of the user" and "SQL request" in the process of accessing Web by the user, that is, "three-tier association technology", so as to solve the problem of how to associate SQL query with Web application access. Specifically, the mapping relationship between SQL and URL is determined by the matching relationship of two dimensions: a) accessing a matching relation of time points; b) matching relationships of URLs to SQL patterns. By monitoring Web access flow, recording each URL request, and acquiring 'URL access starting time' and 'URL access ending time'; the 'SQL request start time' and 'SQL request end time' can be obtained by monitoring SQL flow, and obviously, the SQL request time should be contained in the Web URL request time, so when one SQL appears in the flow and needs to be checked, the recorded URL time is checked back according to the start-stop time, the corresponding URL access record of the SQL start-stop time can be exactly contained in the time range, and the IP address of a real user and the user account information are obtained from the record information of the URL;
in addition to time-based matching, in order to further accurately match the SQL matched URL range, the database auditing system builds a mapping set from SQL to URL by learning and accumulating the mode matching relationship between the URL and the SQL, and searches a possible URL set corresponding to the SQL according to the mapping relationship. Therefore, the "three-tier association technique" uses the "time" + "access pattern" dual matching dimension to perform the association of SQL and URL, thereby further acquiring the real Web user information initiating SQL access.
However, the traditional "three-tier association technology" scheme focuses on "traffic association", that is, how to associate "SQL request" with "Web access", and establish a relationship between the two as much as possible through different dimensions, generally, monitoring SQL traffic alone cannot extract user information from the SQL traffic, so that Web traffic needs to be monitored simultaneously to obtain more information to support the association technology, and thus the traditional technology is essentially based on inference and guessing of non-specific information. The traditional three-layer correlation technology needs to monitor the Web access flow at the same time, record the access request conditions of all URLs, including URL time, user information and the like, and has large expenses on calculation amount and memory occupation. In addition, when the concurrent access number of the Web user is large, the problem of great false alarm or incapability of determining user information exists; for example, when the number of concurrently accessing Web users is large, there may be a case that 2 or more than 2 users access the same URL service at the same time, and when A, B both users access the same URL at the same time (or very close time), the two generated SQL accesses cannot determine which one belongs to user a and which belongs to user B; therefore, the conventional user information identification method is only suitable for scenes with small concurrent access number of Web users. Therefore, the existing user information identification method has the problems of large identification error, low identification accuracy, low identification efficiency and the need of carrying out a large amount of correlation matching. Therefore, how to improve the identification accuracy of the user information accessing the SQL database and save the performance overhead of the database auditing system is an urgent technical problem to be solved.
Disclosure of Invention
In view of the above, the present invention provides a method, system and storage medium for obtaining user information for accessing an SQL database, so as to solve one or more problems in the prior art.
According to one aspect of the invention, the invention discloses a method for obtaining user information for accessing an SQL database, which comprises the following steps: acquiring user information in a request from a client to a Web server based on a HOOK program; the user information comprises a user name, an IP address and a URL address;
storing the acquired user information in a local variable;
injecting a HOOK program into a database driver, and monitoring and intercepting an SQL request sent from a Web server to a database server by using the HOOK program so as to obtain an original SQL character string;
acquiring the user information from the local variables, generating an annotation character string, and adding the annotation character string to the original SQL character string in an annotation form;
monitoring SQL flow in the SQL access process based on a flow monitoring module, and extracting the user information from the monitored SQL flow.
In some embodiments of the present invention, obtaining user information in a request from a client to a Web server based on a HOOK program includes:
monitoring an HTTP request from a client to a Web server based on a HOOK program;
analyzing the user name from the monitored HTTP request;
and acquiring the IP address and the URL address of the HTTP request based on a request public interface.
In some embodiments of the present invention, parsing the user name from the intercepted HTTP request includes:
and analyzing the user name from the monitored HTTP request based on the regular expression.
In some embodiments of the present invention, parsing the user name from the intercepted HTTP request includes:
analyzing the user name from the HTTP request body of the monitored HTTP request; or
And resolving the user name from the URL address of the monitored HTTP request.
In some embodiments of the invention, the local variable is a ThreadLocal variable.
In some embodiments of the present invention, obtaining the user information from the local variables and generating annotation strings comprises:
acquiring the user information from the local variable;
encoding the acquired user information;
an annotation string is generated based on the encoded user information.
In some embodiments of the present invention, the encoding scheme is base64 encoding.
In some embodiments of the present invention, the monitoring SQL traffic during the SQL access process based on the traffic monitoring module, and extracting the user information from the monitored SQL traffic, includes:
monitoring SQL flow in an SQL access process based on a flow monitoring module, and extracting an SQL request character string from the monitored SQL flow based on an SQL database protocol;
and extracting the annotation character string from the SQL request character string and analyzing to obtain the user information.
According to another aspect of the present invention, a system for obtaining user information for accessing an SQL database is also disclosed, the system comprising a processor and a memory, the memory storing computer instructions, the processor being configured to execute the computer instructions stored in the memory, the system implementing the steps of the method according to any of the above embodiments when the computer instructions are executed by the processor.
According to yet another aspect of the present invention, a computer-readable storage medium is also disclosed, on which a computer program is stored, which when executed by a processor implements the steps of the method according to any of the embodiments above.
The method and the system for acquiring the user information for accessing the SQL database embed HOOK program in Web application, correctly acquire the user information in the request from the client to the Web server, and inject the acquired user information into the SQL request sent from the Web server to the database server without damage, and inject the user information into all the generated SQL requests; and then correct user information for accessing the SQL database is extracted based on the flow monitoring module. Compared with the traditional user information identification method, the method has the advantages that the accuracy rate is greatly improved and almost 100 percent, so that the identification error of the user information is reduced; in addition, the method does not need to monitor a large amount of Web flow, thereby saving the system overhead.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present invention are not limited to the specific details set forth above, and that these and other objects that can be achieved with the present invention will be more clearly understood from the detailed description that follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention. The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the invention. For purposes of illustrating and describing some portions of the present invention, corresponding parts of the drawings may be exaggerated, i.e., may be larger, relative to other components in an exemplary apparatus actually manufactured according to the present invention. In the drawings:
fig. 1 is a schematic diagram of a first process for a user to access a Web server.
Fig. 2 is a schematic diagram of a second process for a user to access a Web server.
Fig. 3 is a schematic diagram of a database audit process in the prior art.
Fig. 4 is a flowchart illustrating a method for obtaining user information for accessing an SQL database according to an embodiment of the present invention.
Fig. 5 is a flowchart illustrating a method for obtaining user information for accessing an SQL database according to another embodiment of the present invention.
Fig. 6 is a schematic structural diagram of a system for obtaining user information for accessing an SQL database according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments of the present invention are further described in detail below with reference to the accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
It should be noted that, in order to avoid obscuring the present invention with unnecessary details, only the structures and/or processing steps closely related to the scheme according to the present invention are shown in the drawings, and other details not closely related to the present invention are omitted.
It should be emphasized that the term "comprises/comprising/comprises/having" when used herein, is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.
The SQL requests for users to log in the Web application and the Web application are the operation of two mutually independent systems, so that the identification of real application users by associating the two is technically difficult, and the problems of low acquisition accuracy rate of user information and large error exist in the database auditing method in the prior art. In order to solve the problems, the invention provides a method, a system and a storage medium for acquiring user information for accessing an SQL database, which can well solve the problems of SQL access identification and real user information acquisition of the industry database audit products, the identification accuracy can reach 100%, and the performance overhead of a database audit system is saved.
Hereinafter, specific embodiments of the present invention will be described with reference to the accompanying drawings. In the drawings, the same reference numerals denote the same or similar parts, or the same or similar steps.
Fig. 4 is a flowchart illustrating a method for obtaining user information for accessing an SQL database according to an embodiment of the present invention, and as shown in fig. 4, the method for obtaining user information for accessing an SQL database at least includes steps S10-S50.
Step S10: acquiring user information in a request from a client to a WEB server based on a HOOK program; the user information comprises a user name, an IP address and a URL address.
In this step, the HOOK program is used to listen to the real user information in the request from the client to the WEB server, specifically, the HOOK program is used to process the class of the WEB request (HTTP request) sent by the browser of the client, and this type of HOOK point is used to obtain the information such as the user name, IP address, URL, etc. by intercepting the HTTP request. For example, for a Web server program developed based on springboot, a series of methods for processing Http request public interface by a Web container in apache.
In an embodiment, acquiring user information in a request from a client to a WEB server based on a HOOK program specifically includes: monitoring an HTTP request from a client to a WEB server based on a HOOK program, analyzing a user name from the monitored HTTP request, and acquiring an IP address and a URL address of the HTTP request based on a request public interface; the specific common interface for the request is an HTTPRequestServlet interface.
The HTTP request intercepted by the HOOK program is a "user login" HTTP request, and the corresponding user name information can be analyzed from the "user login" HTTP request. Before the HOOK program intercepts the HTTP request, it is generally necessary to determine whether the current URL is a login operation; and if so, further analyzing user name information from the current HTTP request. Typically, Web applications identify login operations by a specific URL, such as: a/logic. The user name may exist in the URL parameter or in the HTTP request body; when the user name exists in the URL parameter, the HOOK program analyzes the user name from the monitored URL address of the HTTP request; and when the user name exists in the HTTP request body, the HOOK program analyzes the user name from the HTTP request body of the HTTP request which is monitored.
When the username exists in the HTTP request body, for example { user: the user name analyzed by the HOOK program is abc at the moment; when the username is present in the URL parameter, e.g.
Figure DEST_PATH_IMAGE002
At this time, the user name analyzed by the HOOK program is abc. In addition, the IP address and the URL address in the user information may be acquired according to a request public interface (httprequest servlet interface) of each request.
Specifically, parsing the user name from the monitored HTTP request includes: and analyzing the user name from the monitored HTTP request based on the regular expression. That is, whether the user name exists in the URL or in the http body, the HOOK program uses the pre-configured regular expression configuration to analyze the user name, and the specific configuration example is as follows:
URL [ URL ]/dxhc/index [ do ]/identify log in URL
App request, user, from: body// identifies where to parse the username, body denotes from the http request body, query denotes from the URL
login request.app user.pattern:phone\S*=
Figure DEST_PATH_IMAGE003
// parsing regular expressions for the username.
Step S20: and storing the acquired user information in a local variable.
In this step, the local variable may be a ThreadLocal variable. That is, after acquiring the user name, URL, and IP address information from the HTTP request, the HOOK program further stores the acquired user name, URL, and IP address information in the ThreadLocal variable. Specifically, the type number of the user information acquired by the HOOK program is the same as the type number of the user information stored in the thread local variable, and the user information may also be set to other types of user information as needed, except for the user name, the URL, and the IP address information.
Step S30: and injecting the HOOK program into a database driver, and monitoring and intercepting an SQL request sent from a WEB server side to a database server side by using the HOOK program so as to obtain an original SQL character string.
The database driver is illustratively a java jdbc database driver, that is, after the HOOK program is injected into the java jdbc database driver, and when the java jdbc database driver initiates an SQL request of the database, the HOOK program monitors and intercepts the SQL request, and further obtains the original SQL string. For example, when the mysql database, com, class mysql, jdbc, statementimpl, calls execute method, the HOOK program will modify the parameters of the execute method, i.e. the original SQL string. In this step, the HOOK program needs a method of initiating the class of jdbc of the database operation, that is, the HOOK point is to modify the original SQL and write the information of the user name, IP address, URL address, etc. in the form of annotation into the original SQL when the program initiates the jdbc operation. Illustratively, based on a Web server program developed by springboot, a series of methods for operating MySQL database by using a jdbc standard interface class in com.
Step S40: and acquiring the user information from the local variables, generating an annotation character string, and adding the annotation character string to the original SQL character string in an annotation form.
In the step, further acquiring stored user information such as a user name, an ID address and the like from a Threadlocal variable, and generating an annotation character string from the user information acquired from the Threadlocal variable; for example, in order to generate the annotation character string from the user information, the user name and the IP address may be encoded in the URL address according to the base64 encoding method to generate the annotation character string. Namely: base64 encoded username: base64 encoded URL: base64 encoded IP address. For example, if the user name is abc, the URL is/login, and the ip address is 192.168.0.1, the generated comment is/. multidot.YD-INFO: YWJjcgg = =: L2xvZ2luCg =: MTkyLjE2OC4wLjEK =/.
And adding the annotation character string to the SQL character string in an annotation form, namely modifying the SQL request sent by the jdbc. For the execute method, the specific modification method is to modify the SQL parameters and modify the SQL parameters into a form of SQL + annotation; for example, the original SQL is "select from account", modified to "select from account/YD-INFO: YWJjCg =: L2xvZ2luCg =: MTkyLjE2OC4 wLjEK/".
In one embodiment, obtaining the user information from a local variable and generating an annotation string includes: acquiring the user information from a local variable; encoding the acquired user information; an annotation string is generated based on the encoded user information.
Step S50: monitoring SQL flow in an SQL access process based on a flow monitoring module, and extracting the user information from the monitored SQL flow.
After the annotation string corresponding to the user information is added to the original SQL string based on step S40, the traffic monitoring module may be used to monitor the SQL traffic during the SQL access process to extract the real user information for accessing the SQL database.
Illustratively, the monitoring SQL traffic in the SQL access process based on the traffic monitoring module, and extracting the user information from the monitored SQL traffic, includes: monitoring SQL flow in an SQL access process based on a flow monitoring module, and extracting an SQL request character string from the monitored SQL flow based on an SQL database protocol; and extracting the annotation character string from the SQL request character string and analyzing to obtain the user information.
In an embodiment, firstly monitoring the flow of a database through the flow, wherein the database takes a mysql database as an example, and the flow of the database is the flow of the mysql database at the moment; then extracting an SQL request character string in mysql flow according to a mysql database protocol; after obtaining the SQL request string, since the SQL has been modified by the HOOK program in step S40 to add the comment, the obtained SQL contains the comment added by the HOOK, for example, "select from account/YD-INFO: ywjjjcg = =: L2xvZ2luCg = =: MTkyLjE2OC4 wLjEK/"; further, through YD-INFO identification in the annotation, the annotation character string added by the HOOK program is identified when the annotation is carried out, and then analysis can be carried out; in the analysis process, the annotation information is divided into three parts by colons, and each part is decoded by base64 respectively to obtain the original user name, URL and IP address; for example, the above SQL annotation analysis respectively shows that: abc,/logic, 192.168.0.1.
For the method for acquiring the user information for accessing the SQL database in the above embodiment, the HOOK program is embedded in the Web application to acquire the user information correctly, and the information is injected into the SQL request without damage, and corresponding user information is injected for all generated SQL requests. And a subsequent flow monitoring module can simply and accurately acquire the real user information. The ACP (Application Context Probe) module is injected into the HOOK technology of the Application server program, and has no influence on the Application program, namely the Application program does not need to transform, modify or redevelop codes; ACP can be enabled only if the application modifies some of the startup parameters.
User information is injected into the SQL request in a lossless mode, extra information injection has no influence on SQL request service, and therefore the database auditing system can extract the user information from the SQL request only by monitoring SQL request flow. Two key technologies are involved: "implant" and "lossless". Specifically, according to the scheme, through a non-invasive 'HOOK application technology' of the Web application program, the behavior of the Web application program is modified during running under the condition that the Web application program is not required to be changed, through an interface method that the HOOK application program accesses a database, and when an SQL request is initiated, user information is injected into the SQL request in a 'SQL annotation' mode. The HOOK technology achieves the purpose of non-invasive and interface information injection of the Web application during the operation of the Web application, and the SQL annotation form has no influence on the SQL database protocol flow; on one hand, the method does not need to monitor Web access flow, thereby saving system overhead; on the other hand, the method can improve the identification accuracy of the user information to be close to 100%.
Correspondingly, the invention also discloses a system for acquiring the user information for accessing the SQL database, which comprises a processor and a memory, wherein the memory stores computer instructions, the processor is used for executing the computer instructions stored in the memory, and when the computer instructions are executed by the processor, the system realizes the steps of the method according to any one of the above embodiments.
Web applications can be developed in many different programming languages, such as Java, PHP, Python, etc., and many server development languages provide support for implementing "profile-oriented programming," AOP, the capability of which is the basis for implementing the HOOK capability of an application. The Java virtual machine has very good support for AOP, and due to the popularity of open source frameworks such as springboot, more and more Web applications are developed by using Java language, and Java-based Web application programs in the industry have a great proportion, so that technical principle analysis for Java-based Web programs is representative. Referring to fig. 6, the present invention relates to an ACP (application context probe) module and a traffic monitoring module. The ACP module is responsible for: 1) obtaining real user information including an IP address and an application user name by using a HOOKURL corresponding method; 2) HOOK interception is carried out aiming at the method of JDBC access database, original SQL is modified, and user information is added to the original SQL in the form of SQL annotation. The flow monitoring module is responsible for: a) monitoring SQL request flow and analyzing SQL; b) and extracting the annotation content in the SQL to acquire user information.
For the deployment of an ACP (application context probe) module and a flow monitoring module, the ACP module is deployed by modifying a Web server restart start command, and a Java agent option is added into a Java start command, for example, the file name of a Web application program is app. The traffic monitoring module is deployed in a traditional bypass traffic monitoring mode, and the traditional bypass traffic monitoring mode is consistent with a traditional traffic auditing deployment mode.
In addition, different Java application frameworks have different class and method organization structures, and in this embodiment, the springboot framework is taken as an example to describe the selection of the HOOK point, because springboot uses the standard javaservet specification, and the programming framework at the Java web service end has strong representativeness. Regardless of the Java development framework used, or the proprietary self-developed Java development framework used, the ACP module needs to select two general types of methods as the HOOK point: a) the class and method of the program processing the Web request (HTTP request) sent by the browser; b) the program needs to initiate the class and method of the jdbc of the database operation; the first type of HOOK point is used for acquiring information such as a user name, an IP address, a URL and the like by intercepting an HTTP request; the second type of HOOK point is to modify the original SQL and write the information of the user name, the IP address, etc. in the form of comments in the SQL when the program initiates the jdbc operation.
Based on a Web server program developed by a springboot, a doFilter method of an apache. catalina. core. applicationFilterChain class is selected as a HOOK point for capturing an HTTP request, and an execute, executeUpdate and executeQuery method of a com. mysql.jdbc. statementImpl class are selected as HOOK points for modifying MySQL database SQL.
The method and system are described below with reference to an embodiment, however, it should be noted that the embodiment is only for better describing the present application and should not be construed as limiting the present application.
Fig. 5 is a schematic flowchart of a method for obtaining user information for accessing an SQL database according to an embodiment of the present invention, and as shown in fig. 5, after a user initiates a Web request, an ACP module obtains the user information through a Web request HOOK point, stores the user information in a thread local variable, and further the ACP module accesses the HOOK point through a jdbc database to capture an original execution SQL; the ACP module acquires user information and adds the user information to the original SQL in an SQL annotation form; the Web server initiates SQL access to the data serverless server; at the moment, the flow monitoring module monitors SQL flow accessed by SQL, and analyzes the message to extract the SQL; and the flow monitoring module further extracts the user information from the SQL master clock and records the user information to an audit log.
Through the embodiment, the method and the system for acquiring the user information for accessing the SQL database embed the HOOK program in the Web application, correctly acquire the user information in the request from the client to the Web server, and inject the acquired user information into the SQL request sent from the Web server to the database server in a lossless manner, and inject the user information into all the generated SQL requests; and then correct user information for accessing the SQL database is extracted based on the flow monitoring module. Compared with the traditional user information identification method, the method has the advantages that the accuracy rate is greatly improved and almost 100 percent, so that the identification error of the user information is reduced; in addition, the method does not need to monitor a large amount of Web flow, thereby saving the system overhead.
In addition, the invention also discloses a computer readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the method according to any of the above embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein may be implemented as hardware, software, or combinations of both. Whether this is done in hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments in the present invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes may be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. A method for obtaining user information for accessing an SQL database, the method comprising:
acquiring user information in a request from a client to a Web server based on a HOOK program; the user information comprises a user name, an IP address and a URL address;
storing the acquired user information in a local variable;
injecting a HOOK program into a database driver, and monitoring and intercepting an SQL request sent from a Web server to a database server by using the HOOK program so as to obtain an original SQL character string;
acquiring the user information from the local variables, generating an annotation character string, and adding the annotation character string to the original SQL character string in an annotation form;
monitoring SQL flow in an SQL access process based on a flow monitoring module, and extracting the user information from the monitored SQL flow.
2. The method of claim 1, wherein the obtaining the user information in the request from the client to the Web server based on the HOOK program comprises:
monitoring an HTTP request from a client to a Web server based on a HOOK program;
analyzing the user name from the monitored HTTP request;
and acquiring the IP address and the URL address of the HTTP request based on a request public interface.
3. The method of claim 2, wherein parsing the user name from the monitored HTTP request comprises:
and analyzing the user name from the monitored HTTP request based on the regular expression.
4. The method of claim 2, wherein parsing the user name from the monitored HTTP request comprises:
analyzing a user name from an HTTP request body of the monitored HTTP request; or
And resolving the user name from the URL address of the monitored HTTP request.
5. The method for obtaining user information for accessing an SQL database according to claim 1, wherein the local variable is a threaded local variable.
6. The method of obtaining user information for accessing an SQL database according to claim 1, wherein obtaining the user information from the local variables and generating annotation strings comprises:
acquiring the user information from the local variable;
encoding the acquired user information;
an annotation string is generated based on the encoded user information.
7. The method for obtaining user information for accessing an SQL database according to claim 6, wherein the encoding is base64 encoding.
8. The method for obtaining the user information for accessing the SQL database according to claim 1, wherein the monitoring the SQL traffic in the SQL access process based on the traffic monitoring module, and extracting the user information from the monitored SQL traffic comprises:
monitoring SQL flow in an SQL access process based on a flow monitoring module, and extracting an SQL request character string from the monitored SQL flow based on an SQL database protocol;
and extracting the annotation character string from the SQL request character string and analyzing to obtain the user information.
9. A system for obtaining user information for accessing an SQL database, the system comprising a processor and a memory, wherein the memory has stored therein computer instructions, the processor being configured to execute the computer instructions stored in the memory, the system implementing the steps of the method according to any one of claims 1 to 8 when the computer instructions are executed by the processor.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 8.
CN202210453116.5A 2022-04-27 2022-04-27 Method, system and storage medium for obtaining user information for accessing SQL database Pending CN114547697A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210453116.5A CN114547697A (en) 2022-04-27 2022-04-27 Method, system and storage medium for obtaining user information for accessing SQL database

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210453116.5A CN114547697A (en) 2022-04-27 2022-04-27 Method, system and storage medium for obtaining user information for accessing SQL database

Publications (1)

Publication Number Publication Date
CN114547697A true CN114547697A (en) 2022-05-27

Family

ID=81667196

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210453116.5A Pending CN114547697A (en) 2022-04-27 2022-04-27 Method, system and storage medium for obtaining user information for accessing SQL database

Country Status (1)

Country Link
CN (1) CN114547697A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050021689A1 (en) * 2003-02-26 2005-01-27 Kyle Marvin Systems and methods for creating network-based software services using source code annotations
CN103647794A (en) * 2013-12-31 2014-03-19 北京启明星辰信息安全技术有限公司 Data correlation method based on J2EE platform and correlation plug-in
CN112199677A (en) * 2020-11-03 2021-01-08 安徽中安睿御科技有限公司 Data processing method and device
CN113986895A (en) * 2021-10-08 2022-01-28 杭州美创科技有限公司 Three-layer auditing method under micro-service distributed scene
CN114048191A (en) * 2021-11-24 2022-02-15 北京天融信网络安全技术有限公司 Business correlation method, device, auditing method and database auditing system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050021689A1 (en) * 2003-02-26 2005-01-27 Kyle Marvin Systems and methods for creating network-based software services using source code annotations
CN103647794A (en) * 2013-12-31 2014-03-19 北京启明星辰信息安全技术有限公司 Data correlation method based on J2EE platform and correlation plug-in
CN112199677A (en) * 2020-11-03 2021-01-08 安徽中安睿御科技有限公司 Data processing method and device
CN113986895A (en) * 2021-10-08 2022-01-28 杭州美创科技有限公司 Three-layer auditing method under micro-service distributed scene
CN114048191A (en) * 2021-11-24 2022-02-15 北京天融信网络安全技术有限公司 Business correlation method, device, auditing method and database auditing system

Similar Documents

Publication Publication Date Title
WO2020119434A1 (en) Method and apparatus for interface data processing, method and apparatus for automated testing, device, and medium
US9529662B1 (en) Dynamic rule-based automatic crash dump analyzer
CN103888490B (en) A kind of man-machine knowledge method for distinguishing of full automatic WEB client side
CN109800258B (en) Data file deployment method, device, computer equipment and storage medium
US11704129B2 (en) Transparent interpretation and integration of layered software architecture event streams
US8713368B2 (en) Methods for testing OData services
CN110855676A (en) Network attack processing method and device and storage medium
US7913233B2 (en) Performance analyzer
CN104956372A (en) Determining coverage of dynamic security scans using runtime and static code analyses
US11570196B2 (en) Method for determining duplication of security vulnerability and analysis apparatus using same
US8489631B2 (en) Distributing a query
US11681606B2 (en) Automatic configuration of logging infrastructure for software deployments using source code
CN108595310A (en) A kind of log processing method and device
CN112671878B (en) Block chain information subscription method, device, server and storage medium
CN114036526A (en) Vulnerability testing method and device, computer equipment and storage medium
CN117271584A (en) Data processing method and device, computer readable storage medium and electronic equipment
CN112699034A (en) Virtual login user construction method, device, equipment and storage medium
CN114547697A (en) Method, system and storage medium for obtaining user information for accessing SQL database
CN108228448B (en) Code tracking method and device
CN115913655A (en) Shell command injection detection method based on flow analysis and semantic analysis
CN116361793A (en) Code detection method, device, electronic equipment and storage medium
CN113032836B (en) Data desensitization method and apparatus
CN114398152A (en) Interface simulation service calling method and device
CN113301180A (en) Object identifier analysis method, device, equipment and storage medium
CN115587364B (en) Firmware vulnerability input point positioning method and device based on front-end and back-end correlation analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination