CN115203719A - Method, device and equipment for desensitizing SQL (structured query language) statement and computer-readable storage medium - Google Patents

Method, device and equipment for desensitizing SQL (structured query language) statement and computer-readable storage medium Download PDF

Info

Publication number
CN115203719A
CN115203719A CN202210698972.7A CN202210698972A CN115203719A CN 115203719 A CN115203719 A CN 115203719A CN 202210698972 A CN202210698972 A CN 202210698972A CN 115203719 A CN115203719 A CN 115203719A
Authority
CN
China
Prior art keywords
desensitization
target
sql statement
rule
rules
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210698972.7A
Other languages
Chinese (zh)
Inventor
骆奕先
黄威琪
胡小刚
陆棒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Bank Co Ltd
Original Assignee
Ping An Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Bank Co Ltd filed Critical Ping An Bank Co Ltd
Priority to CN202210698972.7A priority Critical patent/CN115203719A/en
Publication of CN115203719A publication Critical patent/CN115203719A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the application provides a method, a device and equipment for desensitizing SQL statements and a computer-readable storage medium, wherein the method comprises the following steps: acquiring a target SQL statement to be processed; determining a target desensitization rule corresponding to the target SQL statement from the candidate desensitization rules according to a comparison result of the target SQL statement and the preset candidate desensitization rules; processing the target SQL statement according to the target desensitization rule to obtain a desensitization SQL statement; and sending the desensitization SQL statement to a preset database for processing. According to the technical scheme, the SQL sentences are automatically matched with the preset candidate desensitization rules, so that the corresponding target desensitization rules are obtained, desensitization treatment can be automatically carried out on different SQL sentences by using the corresponding desensitization rules, and the desensitized SQL sentences are executed, so that the safety of the SQL sentences is improved, and the compiling efficiency of the SQL sentences is guaranteed.

Description

Method, device and equipment for desensitizing SQL (structured query language) statement and computer-readable storage medium
Technical Field
The embodiment of the application relates to the technical field of data desensitization, in particular to a method, a device and equipment for desensitizing SQL statements and a computer-readable storage medium.
Background
The SQL statement is a structured language that operates on the database, and is used to update, add, and delete data in the database. The security protection of the SQL statements affects the security of the data in the database.
However, the desensitization rule of the current SQL statement is single, and a certain safety problem still exists, but if the desensitization rule is configured in a complex way, the requirement for writing the user is high, the statement writing is not convenient enough, and the writing efficiency is low.
Disclosure of Invention
The embodiment of the application provides a method, a device and equipment for desensitizing SQL sentences and a computer-readable storage medium, and aims to solve the technical problem that the existing method for desensitizing SQL sentences cannot meet the requirements on safety and efficiency at the same time.
In one aspect, an embodiment of the present application provides a method for desensitizing an SQL statement, including:
acquiring a target SQL statement to be processed;
determining a target desensitization rule corresponding to the target SQL statement from the candidate desensitization rules according to a comparison result of the target SQL statement and preset candidate desensitization rules;
processing the target SQL statement according to the target desensitization rule to obtain a desensitization SQL statement;
sending the desensitization SQL statement to a preset database for processing;
determining a target desensitization rule from the candidate desensitization rules according to a comparison result of the target SQL statement and preset candidate desensitization rules, wherein the determination comprises the following steps:
analyzing the target SQL statement and determining target characters in the target SQL statement;
and matching the character attributes of the target characters with the processing attributes of preset candidate desensitization rules, and determining the target desensitization rules corresponding to the target characters in the target SQL statement.
As a feasible embodiment of the present application, the analyzing the target SQL statement to determine the target characters in the target SQL statement includes:
performing lexical analysis on the target SQL statement, and determining the type corresponding to each character in the target SQL statement; the type comprises at least one of keywords, expressions, word sizes and operators;
and carrying out syntax analysis on the target SQL statement according to the type corresponding to each character in the target SQL statement, and determining the target character in the target SQL statement.
As a possible embodiment of the present application, before matching the character attribute of the target character with the processing attribute of a preset candidate desensitization rule and determining a target desensitization rule corresponding to each target character in the target SQL statement, the method further includes:
generating a first desensitization rule according to an abstract algorithm selected on a preset configuration page, and setting a table name and a column name as processing attributes corresponding to the first desensitization rule;
generating a second desensitization rule according to the encryption algorithm selected on the preset configuration page, and setting a table value as a processing attribute corresponding to the second desensitization rule;
setting the first desensitization rule and the second desensitization rule as the preset candidate desensitization rule.
As a possible embodiment of the present application, before determining, according to a comparison result between the target SQL statement and a preset candidate desensitization rule, a target desensitization rule corresponding to the target SQL statement from the candidate desensitization rules, the method further includes:
acquiring a desensitization rule database corresponding to the user identification information according to the user identification information corresponding to the target SQL statement;
and setting the desensitization rule in the desensitization rule database as the preset candidate desensitization rule.
As a possible embodiment of the present application, after sending the desensitization SQL statement to a preset database for processing, the method further includes:
and writing the target desensitization rule and desensitization characters in the desensitization SQL statement into the preset database in a correlated manner, so that when the target desensitization rule is updated to be an updated desensitization rule, updating the desensitization characters in the preset database according to the target desensitization rule and the updated desensitization rule.
As a possible embodiment of the present application, after sending the desensitization SQL statement to a preset database for processing, the method further includes:
if the target SQL statement is an inquiry statement, acquiring a desensitization inquiry result returned by the preset database and a character attribute corresponding to the desensitization inquiry result;
determining a reduction desensitization rule corresponding to the desensitization query result according to the character attribute corresponding to the desensitization query result;
and processing the desensitization query result according to the reduction desensitization rule, and outputting a target query result.
On the other hand, an embodiment of the present application further provides an apparatus for desensitizing an SQL statement, including:
the acquisition module is used for acquiring a target SQL statement to be processed;
the comparison module is used for determining a target desensitization rule corresponding to the target SQL statement from the candidate desensitization rules according to a comparison result of the target SQL statement and preset candidate desensitization rules;
the desensitization module is used for processing the target SQL statement according to the target desensitization rule to obtain a desensitization SQL statement;
the processing module is used for sending the desensitization SQL statement to a preset database for processing;
determining a target desensitization rule from the candidate desensitization rules according to a comparison result of the target SQL statement and preset candidate desensitization rules, wherein the determination comprises the following steps:
analyzing the target SQL statement and determining target characters in the target SQL statement;
and matching the character attributes of the target characters with the processing attributes of preset candidate desensitization rules, and determining the target desensitization rules corresponding to the target characters in the target SQL statement.
On the other hand, an embodiment of the present application further provides an SQL statement desensitization device, where the SQL statement desensitization device includes a processor, a memory, and an SQL statement desensitization program stored in the memory and executable on the processor, and the processor executes the SQL statement desensitization program to implement the steps in the SQL statement desensitization method.
On the other hand, an embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium stores an SQL statement desensitization program, and the SQL statement desensitization program is executed by a processor to implement the steps in the SQL statement desensitization method.
According to the desensitization method for the SQL sentences, after the SQL sentences written by the user are obtained, the SQL sentences can be automatically matched with the preset candidate desensitization rules, so that the corresponding target desensitization rules are obtained, desensitization treatment can be automatically carried out on different SQL sentences by using the corresponding desensitization rules, and the desensitized SQL sentences are executed, so that the safety of the SQL sentences is improved, and the writing efficiency of the SQL sentences is guaranteed.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic view of an implementation scenario of an SQL statement desensitization method according to an embodiment of the present application;
fig. 2 is a schematic flowchart illustrating steps of a desensitization method of an SQL statement according to an embodiment of the present application;
fig. 3 is a flowchart illustrating a procedure for determining a target desensitization rule according to an embodiment of the present application;
fig. 4 is a schematic flowchart illustrating a procedure of parsing a sentence to obtain a target character according to an embodiment of the present application;
fig. 5 is a flowchart illustrating a procedure for configuring a candidate desensitization rule according to an embodiment of the present application;
fig. 6 is a flowchart illustrating steps of configuring a target desensitization rule based on a user identifier according to an embodiment of the present application;
FIG. 7 is a flowchart illustrating steps provided by an embodiment of the present application to update a database based on updated target desensitization rules;
fig. 8 is a schematic flowchart illustrating a procedure of restoring a query result based on a query SQL statement according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of an SQL statement desensitization apparatus according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of an SQL statement desensitization device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any inventive step, are within the scope of the present invention.
In the embodiments of the present application, the word "exemplary" is used to mean "serving as an example, instance, or illustration. Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments. The following description is presented to enable any person skilled in the art to make and use the invention. In the following description, details are set forth for the purpose of explanation. It will be apparent to one of ordinary skill in the art that the present invention may be practiced without these specific details. In other instances, well-known structures and processes are not shown in detail to avoid obscuring the description of the invention with unnecessary detail. Thus, the present invention is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed in the embodiments herein.
Embodiments of the present application provide a method, an apparatus, a device, and a computer-readable storage medium for desensitizing an SQL statement, which are described in detail below.
In the embodiment of the application, the SQL statement desensitization method is deployed on the SQL statement desensitization device in the form of a program, the SQL statement desensitization device is installed in the SQL statement desensitization device in the form of a processor, and the SQL statement desensitization device in the SQL statement desensitization device executes the program corresponding to the SQL statement desensitization method to perform the following steps:
as shown in fig. 1, fig. 1 is a schematic view of an implementation scenario of an SQL statement desensitization method provided in an embodiment of the present application, and the implementation scenario provided in the embodiment of the present application includes an SQL statement desensitization device 100, a rule configuration library 200, and a database 300. The SQL statement desensitization device 100 is mainly used for acquiring an SQL statement input by a user through any one of a keyboard and mouse input mode, a touch input mode, a voice input mode, or the like, where the SQL statement is a target SQL statement to be processed, and acquiring a target desensitization rule corresponding to the target SQL statement by interacting with the rule configuration library 200, thereby completing desensitization processing on the target SQL statement to obtain a desensitization SQL statement, and finally sending the desensitization SQL statement to a corresponding database 300, so that the database 300 executes the desensitization statement, thereby completing desensitization and execution processes of the entire SQL statement.
It should be noted that the scene diagram of the SQL statement desensitization method provided in fig. 1 is only an example, and the scene of the SQL statement desensitization method described in the embodiment of the present application is for more clearly illustrating the technical solution of the embodiment of the present application, and does not form a limitation on the technical solution provided in the embodiment of the present application.
Based on the schematic diagram of the implementation scene of the SQL statement desensitization method, the specific embodiment of the SQL statement desensitization method is provided.
As shown in fig. 2, fig. 2 is a schematic flow chart illustrating steps of an SQL statement desensitization method provided in an embodiment of the present application, where the SQL statement desensitization method in the embodiment of the present application includes steps 201 to 204:
and 201, acquiring a target SQL statement to be processed.
In the embodiment of the present application, the SQL statement refers to a structured language used by a program developer to operate on a database, and generally relates to updating, adding, and deleting data in the database. Examples include:
creating a new table: create table name (col 1 type1[ not null ] [ primary key ], col2 type2[ not null ],);
add one column: the type of the alarm table name add column col;
deleting the primary key: an alternative table name drop primary key (col);
creating an index: create [ unique ] index idxname on tabname (col …);
updating: update table1 set field1= value1 where range;
searching: select from table1 where field1 like '% value1%' and so on.
In addition, SQL statements may also involve statistics on data in the database, such as:
sorting: select from table1 order by field1, field2[ desc ]
And (3) summing: select sum (field 1) as sum from table1, and so on.
Since the SQL statement belongs to the common general knowledge in the field of program development, the embodiments of the present application are not described herein again.
In this embodiment of the present application, the target SQL statement to be processed generally refers to the SQL statement input by the user to the SQL statement desensitization device through any one of a keyboard and mouse input mode, a touch input mode, a voice input mode, or the like, and this embodiment of the present application is not described herein again.
202, according to the comparison result between the target SQL statement and the preset candidate desensitization rule, determining the target desensitization rule corresponding to the target SQL statement from the candidate desensitization rule.
In the embodiment of the application, when the SQL statement desensitization device acquires a target SQL statement input by a user, the target SQL statement is compared with a preset candidate desensitization rule, and the target desensitization rule corresponding to the target SQL statement is screened from the candidate desensitization rule according to a comparison result. For example, the candidate desensitization rule may include adding stars to part of the key information or performing desensitization processing on the SQL statement by using a preset encryption algorithm or a digest algorithm, which is not described herein again in this embodiment of the present application. Specifically, the candidate desensitization rules are stored in an Apollo configuration center.
Specifically, the comparison here may be to compare the attribute information of the target SQL statement with the attribute information configured for the desensitization rule in advance, or may also be to use other information to implement the comparison between the target SQL statement and the candidate desensitization rule. The embodiments of the present application are not described herein again.
Further, in order to facilitate the subsequent database to still process the desensitization SQL statement, some special characters in the target SQL statement, such as operators, logical operators, and the like, are not desensitized, so as to be a feasible implementation scheme of the present application, the target SQL statement is parsed, characters to be rewritten are extracted from the parsed characters, and the target desensitization rule corresponding to the characters is determined from the candidate desensitization rules, so as to complete the rewriting of the target SQL statement.
Of course, if it is feasible to perform complete desensitization processing on the target SQL statement, in this case, in the process of processing the desensitization SQL statement by the subsequent database, the database also needs to restore the desensitization SQL statement by using the restoration rule corresponding to the target desensitization rule.
In addition, as another optional embodiment of the present application, different users may configure different desensitization rule databases to implement a user-defined desensitization process, at this time, a target SQL statement acquired by the SQL statement desensitization apparatus additionally carries user identification information, so as to identify a corresponding desensitization rule database according to the user identification information, and thus desensitization rules contained in the desensitization rule database are used as candidate desensitization rules, and in particular, the implementation scheme may refer to content of subsequent fig. 6 and its explanation.
And 203, processing the target SQL statement according to the target desensitization rule to obtain a desensitization SQL statement.
In the embodiment of the application, after the target desensitization rule is determined from the candidate desensitization rules, the SQL statement desensitization device processes the SQL statement by using the target desensitization rule to obtain the desensitized SQL statement, that is, the desensitized SQL statement, so that the database is controlled by the desensitized SQL statement subsequently.
Further, in combination with the feasible implementation scheme provided above, the characters to be rewritten are extracted from the target SQL statements by parsing the target SQL statements, and at this time, the target desensitization rules are used to process the SQL statements, which means that the corresponding target desensitization rules are used to replace the target characters in the SQL statements with desensitization characters. Resulting in a desensitized SQL statement.
And 204, sending the desensitization SQL statement to a preset database for processing.
In the embodiment of the application, after the desensitization device of the SQL statement processes the SQL statement by using the target desensitization rule to obtain the desensitization SQL statement, the desensitization SQL statement is sent to the database corresponding to the SQL statement for processing. Of course, it can be known from the foregoing description that if the desensitization SQL statement is obtained by completely processing the target SQL statement, the database needs to restore the desensitization SQL statement to obtain the special characters, such as operators, logical operators, and the like, when processing the desensitization SQL statement. On the contrary, if the desensitization SQL statement is obtained by analyzing the target SQL statement and desensitizing partial characters in the target SQL statement, the desensitization SQL statement may be directly processed without intervention of desensitization rules when the database processes the desensitization SQL statement.
Further, considering that when the database processes desensitization SQL statements of a specific type, for example, when inserting and updating SQL statements of a specific type, desensitization characters processed according to a specific desensitization rule in the desensitization SQL statements are written into and updated in the database, after a corresponding desensitization rule changes, the desensitization characters in the database need to be cleaned, that is, updated, and a specific implementation scheme may refer to the content of subsequent fig. 7 and its explanation.
In addition, for the SQL statement of the query class, the database returns a query result to the SQL statement desensitization device, and based on the foregoing description, the query result may be written or updated in the form of desensitization characters into the database, so as to be a possible embodiment of the present application, the SQL statement desensitization device further restores the query result by using the corresponding desensitization rules, thereby outputting the original text to the user. The specific implementation scheme can refer to the content of the subsequent fig. 8 and the explanation thereof.
According to the desensitization method for the SQL sentences, after the SQL sentences written by the user are obtained, the SQL sentences can be automatically matched with the preset candidate desensitization rules, so that the corresponding target desensitization rules are obtained, desensitization treatment can be automatically carried out on different SQL sentences by using the corresponding desensitization rules, and the desensitized SQL sentences are executed, so that the safety of the SQL sentences is improved, and the writing efficiency of the SQL sentences is guaranteed.
Fig. 3 is a flowchart illustrating steps of determining a target desensitization rule according to an embodiment of the present application, which is described in detail below.
In the embodiment of the application, a technical scheme is provided for extracting target characters from an SQL statement by analyzing the SQL statement, and determining a target desensitization rule corresponding to each target character, which specifically includes steps 301 to 302:
301, analyzing the target SQL statement, and determining target characters in the target SQL statement.
In the embodiment of the present application, parsing the SQL statement generally involves lexical parsing and syntax parsing of the SQL statement. Specifically, when the SQL statement is analyzed, the database type corresponding to the SQL statement, such as mysql or oracle, needs to be found in advance by using the jdbc adapter, and different analysis engines are obtained according to the database, so as to complete the analysis of the SQL statement. For a specific implementation, reference may be made to fig. 4 and its description below.
In the embodiment of the present application, the target character generally refers to a variable in the SQL statement, for example, taking the SQL statement of "adding a value of 123456789' in the column of" mobile phone number "as an example, at this time, by analyzing the SQL statement, it may be determined that" mobile phone number "and" 123456789 "in the SQL statement are variable that can be rewritten, and therefore, the SQL statement desensitization apparatus may regard" mobile phone number "and" 123456789 "as the target character for the subsequent desensitization processing.
302, matching the character attributes of the target characters with the processing attributes of preset candidate desensitization rules, and determining the target desensitization rules corresponding to each target character in the target SQL statement.
In the embodiment of the application, after the target characters in the SQL statement are determined, matching is further performed according to the character attributes of the target characters and the processing attributes of the preset candidate desensitization rules, so that the target desensitization rules corresponding to the target characters are determined, and different desensitization rules are subsequently adopted for processing aiming at different target characters. For a specific implementation scheme for configuring candidate desensitization rules, reference may be made to subsequent fig. 5 and its explanation.
According to the technical scheme, the SQL statement is analyzed, the target characters in the SQL statement are extracted, different desensitization rules are utilized for processing aiming at different target characters, the desensitization effect can be further improved, meanwhile, through the analysis of the SQL statement, the variable in the SQL statement can be used as the target characters capable of being desensitized, the special characters are used as non-target characters not subjected to desensitization, the subsequent processing of the SQL desensitization statement by a database can be facilitated, and the processing efficiency of the SQL statement is improved.
As shown in fig. 4, fig. 4 is a flowchart illustrating a procedure of parsing a sentence to obtain a target character according to an embodiment of the present application, which is described in detail below.
In the embodiment of the present application, a specific implementation scheme for parsing an SQL statement through lexical parsing and syntax parsing is provided, which specifically includes steps 401 to 402:
401, performing lexical analysis on the target SQL statement, and determining a type corresponding to each character in the target SQL statement.
In the embodiment of the present application, performing lexical analysis on an SQL statement means that the SQL statement desensitization device disassembles a target SQL statement into an atomic symbol, that is, a character, using a preset lexical analyzer, that is, an analysis engine corresponding to a database type corresponding to the SQL statement, and classifies each character into a keyword, an expression, a word size, and an operator according to a dictionary corresponding to the database type, that is, a type corresponding to each character in the target SQL statement at least includes one of the keyword, the expression, the word size, and the operator.
402, performing syntax analysis on the target SQL statement according to the type corresponding to each character in the target SQL statement, and determining the target character in the target SQL statement.
In the embodiment of the application, after the corresponding type of each character is determined, the SQL statement desensitization device further uses a preset syntax parser to convert the target SQL statement into an abstract syntax tree, and obtains the context required for the slicing by traversing the abstract syntax tree and combining the type refinement corresponding to each character, thereby determining the position to be rewritten in the target SQL statement, that is, the target character in the target SQL statement.
As shown in fig. 5, fig. 5 is a schematic flowchart illustrating a step of configuring a candidate desensitization rule according to an embodiment of the present application. The details are as follows.
In the embodiment of the present application, a desensitization rule implemented based on a digest algorithm and an encryption algorithm is provided, which specifically includes steps 501 to 503:
501, generating a first desensitization rule according to an abstract algorithm selected on a preset configuration page, and setting a table name and a column name as processing attributes corresponding to the first desensitization rule.
In the embodiment of the present application, the digest algorithm generally refers to an algorithm that does not require a key, and data processed by the digest algorithm cannot be decrypted, and there are many specific digest algorithms, for example, the MD5 algorithm, the SHA-1 algorithm, and a large number of variations thereof. In the embodiment of the application, the summarization algorithm is displayed on the preset configuration interface, so that a user can select the summarization algorithm on the configuration interface in a user-defined manner to serve as one desensitization rule.
Further, considering that the data processed by the summarization algorithm cannot be decrypted, the character attribute processed by the desensitization rule generated by the summarization algorithm should be a character not stored as a key value in the SQL statement, for example, a relatively common table name and a column name, where in the database, the table name and the column name generally serve as identification information, and both the original character before being processed by the summarization algorithm and the desensitization character after being processed can serve as identification. Therefore, the table name and the column name can be used as the processing attributes corresponding to the desensitization rule generated by the summarization algorithm, so that the subsequent processing can be performed by adopting the corresponding summarization algorithm for the target character with the character attribute of "table name" or "column name" in the SQL statement.
502, according to the encryption algorithm selected on the preset configuration page, generating a second desensitization rule, and setting a table value as a processing attribute corresponding to the second desensitization rule.
In the embodiment of the present application, the encryption algorithm generally refers to an algorithm for desensitizing with a key, and data processed by the encryption algorithm may be reversely decrypted with the key, so as to recover original text data. In particular, there are many kinds of encryption algorithms, such as DES, RSA, and the like, which are relatively common. In the embodiment of the application, the encryption algorithm is displayed on the preset configuration interface, and a user can select the encryption algorithm on the configuration interface in a self-defined mode to serve as one desensitization rule.
Further, considering that the data processed by the encryption algorithm can be reversely decrypted by using the key, the character attribute processed by the desensitization rule generated by the encryption algorithm should be a table value used as an information carrier in the SQL statement. Therefore, the table value can be used as the processing attribute corresponding to the desensitization rule generated by the encryption algorithm, so that the subsequent target character with the character attribute of "table value" in the SQL statement can be processed by using the corresponding encryption algorithm.
503, setting the first desensitization rule and the second desensitization rule as the preset candidate desensitization rule.
In the embodiment of the application, the first desensitization rule and the second desensitization rule are both rules capable of realizing desensitization effect, and have configured corresponding processing attributes, so that the desensitization rules can be used as candidate desensitization rules to select corresponding target desensitization rules based on the attributes of target characters in SQL statements. Specifically, for the sake of understanding, the SQL statement "add value '123456789' in the column of ' cell phone number" provided above is used as an example for the following description.
Specifically, in the foregoing SQL statement, although both the "mobile phone number" and the "123456789" may be regarded as target characters, corresponding attributes thereof are different, for example, the "mobile phone number" is generally a column name in a database, and is mainly used to perform a unique identification function, so that when desensitizing, a digest algorithm may be used to perform desensitization processing, and therefore, the character after desensitization can also perform the unique identification function. On the contrary, "123456789" is more likely to be a table value in the database, which is used as an information carrier, and the carried information cannot be changed, so that the desensitization character corresponding to the target character needs to be able to be restored to the original target character, and the desensitization rule corresponding to the desensitization character should be an encryption algorithm with a decryption function, so that after the desensitization character corresponding to "123456789" is extracted from the database, the desensitization character can be restored to the original text "123456789" based on the corresponding decryption rule to be shown to the user.
As shown in fig. 6, fig. 6 is a flowchart illustrating steps of configuring a target desensitization rule based on a user identifier according to an embodiment of the present application. The details are as follows.
In the embodiment of the present application, an implementation scheme for configuring a target desensitization rule based on different user identities is provided, which specifically includes steps 601 to 602:
601, obtaining a desensitization rule database corresponding to the user identification information according to the user identification information corresponding to the target SQL statement.
Different from other SQL statements, in the embodiment of the application, when a user inputs the SQL statement in any feasible input mode, the SQL statement desensitization device correspondingly acquires user identification information corresponding to the SQL statement, and further acquires a corresponding desensitization rule database based on the user identification information. That is, for each user, it may configure a corresponding desensitization rule in the database by creating a form of the database, so that when performing desensitization processing subsequently, the corresponding desensitization rule database is obtained for the user identification information of different users.
And 602, setting the desensitization rule in the desensitization rule database as the preset candidate desensitization rule.
In the embodiment of the present application, as can be known from the foregoing description, different users may configure corresponding desensitization rules in a database by themselves by creating a form of the database, and therefore, the desensitization rules in the desensitization rule database may be set as preset candidate desensitization rules, so as to determine target desensitization rules from the desensitization rules.
As shown in fig. 7, fig. 7 is a flowchart illustrating steps of updating a database based on updated target desensitization rules according to an embodiment of the present application. The details are as follows.
In the embodiment of the present application, an implementation scheme is provided for cleaning and updating data in a database after a desensitization rule is updated, and specifically, the implementation scheme includes steps 701 to 702:
701, writing the target desensitization rule and the desensitization character in the desensitization SQL statement into the preset database in an associated manner.
In the embodiment of the application, the desensitization character in the desensitization SQL statement is a character obtained by desensitizing the target character in the target SQL statement. Specifically, when the target SQL statement is a write-in and update-type statement, when the desensitization SQL statement is executed by the database, desensitization characters in the desensitization SQL statement are written into the preset database in an associated manner, at this time, in order to facilitate subsequent changes of the target desensitization rule, desensitization characters in the database can be updated correspondingly, and when the desensitization SQL statement is executed, the target desensitization rule and the desensitization characters are written in an associated manner synchronously.
And 702, if the target desensitization rule is updated to be the updated desensitization rule, updating desensitization characters in the preset database according to the target desensitization rule and the updated desensitization rule.
In the embodiment of the application, if the target desensitization rule is updated to a new desensitization rule, that is, the desensitization rule is updated, the database needs to be washed. Specifically, the character associated with the target desensitization rule in the preset database is regarded as a desensitization character, the character is restored by using the restoration desensitization rule corresponding to the target desensitization rule, then the restored character is subjected to secondary desensitization by using the updated desensitization rule to obtain an updated character, and the corresponding character in the preset database is replaced, so that the character is updated.
As shown in fig. 8, fig. 8 is a schematic flowchart of a step of restoring a query result based on a query SQL statement according to an embodiment of the present application. The details are as follows.
In the embodiment of the present application, an implementation scheme is provided for restoring a query result after the query result is obtained for an SQL statement of a query class, and specifically includes steps 801 to 803:
801, obtaining a desensitization query result returned by the preset database and a character attribute corresponding to the desensitization query result.
In the embodiment of the application, if the SQL statement is query-class data, after the preset database processes the SQL data, the preset database returns a corresponding desensitization query result to the SQL statement desensitization device, and returns a character attribute corresponding to the desensitization query result at the same time. As can be seen from the foregoing description, the values in the preset database are usually in the form of desensitization characters, and therefore, the desensitization query result is also in the form of desensitization characters.
And 802, determining a reduction desensitization rule corresponding to the desensitization query result according to the character attribute corresponding to the desensitization query result.
In the embodiment of the application, in addition to the desensitization query result returned by the SQL statement desensitization device from the preset database, a corresponding target desensitization rule is determined from the candidate desensitization rules based on the character attribute, and then a reduction desensitization rule corresponding to the target desensitization rule is obtained, that is, the reduction desensitization rule can be understood as an inverse processing process of the target desensitization rule, the target desensitization rule is used for encrypting an original text into a ciphertext, that is, a desensitization character, and the reduction desensitization rule is used for reducing the encrypted ciphertext into the original text, that is, the desensitization character can be reduced into an initial character.
803, the desensitization query result is processed according to the reduction desensitization rule, and a target query result is output.
In the embodiment of the application, the desensitization query result is processed by using a reduction desensitization rule, and initial characters can be finally output and provided for a user.
In order to better implement the SQL statement desensitization method provided by the embodiment of the present application, on the basis of the SQL statement desensitization method, an SQL statement desensitization device is further provided in the embodiment of the present application. As shown in fig. 9, fig. 9 is a schematic structural diagram of an SQL statement desensitization apparatus according to an embodiment of the present application. Specifically, the SQL statement desensitization device includes:
an obtaining module 901, configured to obtain a target SQL statement to be processed;
a comparison module 902, configured to determine, according to a comparison result between the target SQL statement and a preset candidate desensitization rule, a target desensitization rule corresponding to the target SQL statement from the candidate desensitization rule;
a desensitization module 903, configured to process the target SQL statement according to the target desensitization rule to obtain a desensitization SQL statement;
and the processing module 904 is configured to send the desensitization SQL statement to a preset database for processing.
In some embodiments of the present application, the alignment module includes:
the analysis secondary module is used for analyzing the target SQL statement and determining target characters in the target SQL statement;
and the matching secondary module is used for matching the character attributes of the target characters with the processing attributes of preset candidate desensitization rules and determining the target desensitization rules corresponding to the target characters in the target SQL statement.
In some embodiments of the present application, the parsing sub-module includes:
the lexical analysis unit is used for carrying out lexical analysis on the target SQL statement and determining the type corresponding to each character in the target SQL statement; the type comprises at least one of keywords, expressions, word sizes and operators;
and the grammar analysis unit is used for carrying out grammar analysis on the target SQL statement according to the type corresponding to each character in the target SQL statement and determining the target character in the target SQL statement.
In some embodiments of the present application, the comparing module further includes a rule configuration sub-module, and the rule configuration sub-module includes:
the first rule configuration unit is used for generating a first desensitization rule according to an abstract algorithm selected on a preset configuration page, and setting a table name and a column name as processing attributes corresponding to the first desensitization rule;
the second rule configuration unit is used for generating a second desensitization rule according to the encryption algorithm selected on the preset configuration page and setting a table value as a processing attribute corresponding to the second desensitization rule;
a rule setting unit configured to set the first desensitization rule and the second desensitization rule as the preset candidate desensitization rule.
In some embodiments of the present application, the rule configuration sub-module includes:
a rule database obtaining unit, configured to obtain, according to the user identification information corresponding to the target SQL statement, a desensitization rule database corresponding to the user identification information;
and the rule configuration unit is used for setting the desensitization rules in the desensitization rule database as the preset candidate desensitization rules.
In some embodiments of the present application, the SQL statement desensitization apparatus includes:
and the updating module is used for writing the target desensitization rule and the desensitization character in the desensitization SQL statement into the preset database in a correlated manner, so that when the target desensitization rule is updated to be the updated desensitization rule, the desensitization character in the preset database is updated according to the target desensitization rule and the updated desensitization rule.
In some embodiments of the present application, the SQL statement desensitization apparatus includes a restoring module; the above-mentioned reduction module includes:
the query result acquisition secondary module is used for acquiring a desensitization query result returned by the preset database and a character attribute corresponding to the desensitization query result if the target SQL statement is a query statement;
the restoration rule determining secondary module is used for determining a restoration desensitization rule corresponding to the desensitization query result according to the character attribute corresponding to the desensitization query result;
and the reduction secondary module is used for processing the desensitization query result according to the reduction desensitization rule and outputting a target query result.
An embodiment of the present application further provides an SQL statement desensitization device, as shown in fig. 10, fig. 10 is a schematic structural diagram of the SQL statement desensitization device provided in the embodiment of the present application.
The SQL statement desensitization device comprises a memory, a processor and an SQL statement desensitization program which is stored in the memory and can be run on the processor, and the steps of the SQL statement desensitization method provided by any embodiment of the present application are implemented when the processor executes the SQL statement desensitization program.
Specifically, the method comprises the following steps: the SQL statement desensitization apparatus may include components such as a processor 1001 of one or more processing cores, a memory 1002 of one or more storage media, a power supply 1003, and an input unit 1004. Those skilled in the art will appreciate that the SQL statement desensitization device architecture shown in fig. 10 does not constitute a limitation on SQL statement desensitization devices, and may include more or fewer components than shown, or combine certain components, or a different arrangement of components. Wherein:
the processor 1001 is a control center of the SQL statement desensitization device, connects each part of the entire SQL statement desensitization device by using various interfaces and lines, and executes various functions and processes data of the SQL statement desensitization device by running or executing software programs and/or modules stored in the memory 1002 and calling data stored in the memory 1002, thereby performing overall monitoring on the SQL statement desensitization device. Optionally, processor 1001 may include one or more processing cores; preferably, the processor 1001 may integrate an application processor, which mainly handles operating systems, user interfaces, application programs, etc., and a modem processor, which mainly handles wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 1001.
The memory 1002 may be used to store software programs and modules, and the processor 1001 executes various functional applications and data processing by operating the software programs and modules stored in the memory 1002. The memory 1002 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data created from use of the SQL statement desensitization device, and the like. Further, the memory 1002 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device. Accordingly, the memory 1002 may also include a memory controller to provide the processor 1001 access to the memory 1002.
The SQL statement desensitization device further comprises a power source 1003 for supplying power to each component, and preferably, the power source 1003 may be logically connected to the processor 1001 through a power management system, so that functions of managing charging, discharging, power consumption management and the like are realized through the power management system. The power source 1003 may also include any component including one or more of a dc or ac power source, a recharging system, a power failure detection circuit, a power converter or inverter, a power status indicator, and the like.
The SQL statement desensitization device may further include an input unit 1004, and the input unit 1004 may be used to receive input numeric or character information and generate keyboard, mouse, joystick, optical or trackball signal inputs related to user settings and function control.
Although not shown, the SQL statement desensitization device may further include a display unit and the like, which are not described in detail herein. Specifically, in this embodiment, the processor 1001 in the SQL statement desensitization device loads the executable file corresponding to the process of one or more applications into the memory 1002 according to the following instructions, and the processor 1001 runs the applications stored in the memory 1002, thereby implementing the steps in the SQL statement desensitization method provided in any embodiment of the present application.
To this end, an embodiment of the present application provides a computer-readable storage medium, which may include: read Only Memory (ROM), random Access Memory (RAM), magnetic or optical disks, and the like. The computer readable storage medium stores an SQL statement desensitization program, and the SQL statement desensitization program realizes the steps of the SQL statement desensitization method provided by any embodiment of the present application when executed by a processor.
In the above embodiments, the descriptions of the respective embodiments have respective emphasis, and parts that are not described in detail in a certain embodiment may refer to the above detailed descriptions of other embodiments, and are not described herein again.
In a specific implementation, each unit or structure may be implemented as an independent entity, or may be combined arbitrarily to be implemented as one or several entities, and the specific implementation of each unit or structure may refer to the foregoing method embodiment, which is not described herein again.
The above operations can be implemented in the foregoing embodiments, and are not described in detail herein.
The above detailed description is made on the desensitization method of the SQL statement provided by the embodiment of the present application, and a specific example is applied in the present application to explain the principle and the implementation of the present invention, and the description of the above embodiment is only used to help understanding the method and the core idea of the present invention; meanwhile, for those skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.

Claims (10)

1. A method for desensitizing SQL statements, comprising:
acquiring a target SQL statement to be processed;
determining a target desensitization rule corresponding to the target SQL statement from the candidate desensitization rules according to a comparison result of the target SQL statement and a preset candidate desensitization rule;
processing the target SQL statement according to the target desensitization rule to obtain a desensitization SQL statement;
sending the desensitization SQL statement to a preset database for processing;
determining a target desensitization rule from the candidate desensitization rules according to a comparison result of the target SQL statement and preset candidate desensitization rules, wherein the step comprises the following steps of:
analyzing the target SQL statement and determining target characters in the target SQL statement;
and matching the character attributes of the target characters with the processing attributes of preset candidate desensitization rules, and determining the target desensitization rules corresponding to the target characters in the target SQL statement.
2. The SQL statement desensitization method according to claim 1, wherein the parsing the target SQL statement to determine the target characters in the target SQL statement comprises:
performing lexical analysis on the target SQL statement, and determining the type corresponding to each character in the target SQL statement; the type comprises at least one of keywords, expressions, word sizes and operators;
and according to the type corresponding to each character in the target SQL statement, performing syntax analysis on the target SQL statement, and determining the target character in the target SQL statement.
3. The SQL statement desensitization method according to claim 1, wherein before matching the character attributes of the target characters with the processing attributes of preset candidate desensitization rules and determining the target desensitization rules corresponding to each of the target characters in the target SQL statement, the method further comprises:
generating a first desensitization rule according to an abstract algorithm selected on a preset configuration page, and setting a table name and a column name as processing attributes corresponding to the first desensitization rule;
generating a second desensitization rule according to the encryption algorithm selected on the preset configuration page, and setting a table value as a processing attribute corresponding to the second desensitization rule;
setting the first desensitization rule and the second desensitization rule as the preset candidate desensitization rule.
4. The SQL statement desensitization method according to claim 1, wherein before determining the target desensitization rule corresponding to the target SQL statement from the candidate desensitization rules according to the comparison result between the target SQL statement and the preset candidate desensitization rules, the method further comprises:
acquiring a desensitization rule database corresponding to the user identification information according to the user identification information corresponding to the target SQL statement;
and setting the desensitization rule in the desensitization rule database as the preset candidate desensitization rule.
5. The method of desensitizing SQL statements according to claim 1, wherein after sending the desensitized SQL statements to a preset database for processing, the method further comprises:
and writing the target desensitization rule and desensitization characters in the desensitization SQL statement into the preset database in a correlated manner, so that when the target desensitization rule is updated to be an updated desensitization rule, updating the desensitization characters in the preset database according to the target desensitization rule and the updated desensitization rule.
6. The SQL statement desensitization method according to claim 1, wherein after sending the desensitized SQL statement to a preset database for processing, the method further comprises:
if the target SQL statement is a query statement, acquiring a desensitization query result returned by the preset database and a character attribute corresponding to the desensitization query result;
determining a reduction desensitization rule corresponding to the desensitization query result according to the character attribute corresponding to the desensitization query result;
and processing the desensitization query result according to the reduction desensitization rule, and outputting a target query result.
7. The desensitization method according to claim 1 to 6, wherein said candidate desensitization rules are stored in Apollo configuration center.
8. An SQL statement desensitization apparatus, comprising:
the acquisition module is used for acquiring a target SQL statement to be processed;
the comparison module is used for determining a target desensitization rule corresponding to the target SQL statement from the candidate desensitization rules according to a comparison result of the target SQL statement and preset candidate desensitization rules;
the desensitization module is used for processing the target SQL statement according to the target desensitization rule to obtain a desensitization SQL statement;
the processing module is used for sending the desensitization SQL statement to a preset database for processing;
determining a target desensitization rule from the candidate desensitization rules according to a comparison result of the target SQL statement and preset candidate desensitization rules, wherein the determination comprises the following steps:
analyzing the target SQL statement and determining target characters in the target SQL statement;
and matching the character attributes of the target characters with the processing attributes of preset candidate desensitization rules, and determining the target desensitization rules corresponding to the target characters in the target SQL statement.
9. An SQL statement desensitization device, comprising a processor, a memory, and an SQL statement desensitization program stored in the memory and executable on the processor, the processor executing the SQL statement desensitization program to implement the steps in the SQL statement desensitization method of any of claims 1 to 7.
10. A computer readable storage medium having stored thereon an SQL statement desensitization program that is executed by a processor to implement the steps in the SQL statement desensitization method of any of claims 1 to 7.
CN202210698972.7A 2022-06-20 2022-06-20 Method, device and equipment for desensitizing SQL (structured query language) statement and computer-readable storage medium Pending CN115203719A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210698972.7A CN115203719A (en) 2022-06-20 2022-06-20 Method, device and equipment for desensitizing SQL (structured query language) statement and computer-readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210698972.7A CN115203719A (en) 2022-06-20 2022-06-20 Method, device and equipment for desensitizing SQL (structured query language) statement and computer-readable storage medium

Publications (1)

Publication Number Publication Date
CN115203719A true CN115203719A (en) 2022-10-18

Family

ID=83575367

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210698972.7A Pending CN115203719A (en) 2022-06-20 2022-06-20 Method, device and equipment for desensitizing SQL (structured query language) statement and computer-readable storage medium

Country Status (1)

Country Link
CN (1) CN115203719A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115422597A (en) * 2022-11-08 2022-12-02 国家工业信息安全发展研究中心 Self-adaptive industrial data desensitization and reduction method and system
CN117390658A (en) * 2023-12-13 2024-01-12 北京宇信科技集团股份有限公司 Data security engine, data security access system and access method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115422597A (en) * 2022-11-08 2022-12-02 国家工业信息安全发展研究中心 Self-adaptive industrial data desensitization and reduction method and system
CN117390658A (en) * 2023-12-13 2024-01-12 北京宇信科技集团股份有限公司 Data security engine, data security access system and access method
CN117390658B (en) * 2023-12-13 2024-03-05 北京宇信科技集团股份有限公司 Data security engine, data security access system and access method

Similar Documents

Publication Publication Date Title
US8756207B2 (en) Systems and methods for identifying potential duplicate entries in a database
US20240070177A1 (en) Systems and methods for generating and using aggregated search indices and non-aggregated value storage
US9971967B2 (en) Generating a superset of question/answer action paths based on dynamically generated type sets
JP2664915B2 (en) Information retrieval system
KR101707369B1 (en) Construction method and device for event repository
CN115203719A (en) Method, device and equipment for desensitizing SQL (structured query language) statement and computer-readable storage medium
US10229104B2 (en) Efficient DFA generation for non-matching characters and character classes in regular expressions
KR20200098378A (en) Method, device, electronic device and computer storage medium for determining description information
CN108776696B (en) Node configuration method and device, storage medium and electronic equipment
US9355152B2 (en) Non-exclusionary search within in-memory databases
CN112560100A (en) Data desensitization method and device, computer readable storage medium and electronic equipment
WO2019136855A1 (en) Method and apparatus for implementing multidimensional analysis on insurance policy, terminal device, and storage medium
CN114969819A (en) Data asset risk discovery method and device
CN111552792B (en) Information query method and device, electronic equipment and storage medium
CN110618999A (en) Data query method and device, computer storage medium and electronic equipment
US20090234800A1 (en) Computer program product for database query optimization
CN112970011B (en) Pedigree in record query optimization
CN117972067A (en) Question-answering model retrieval optimization method, device, computer equipment and storage medium
CN112162995B (en) Procedural language SQL sentence processing method, device, medium and electronic equipment
CN117453437A (en) Database statement processing method, device, computer equipment and storage medium
CN116431481A (en) Code parameter verification method and device based on multi-code condition
CN115186109B (en) Data processing method, equipment and medium for threat information knowledge graph
US9201937B2 (en) Rapid provisioning of information for business analytics
US20220229998A1 (en) Lookup source framework for a natural language understanding (nlu) framework
US20150006578A1 (en) Dynamic search system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination