CN116049222A

CN116049222A - Verification method and device for database access request, electronic equipment and storage medium

Info

Publication number: CN116049222A
Application number: CN202310101152.XA
Authority: CN
Inventors: 胡曌云; 王轶凡; 沈瑜
Original assignee: Industrial and Commercial Bank of China Ltd ICBC
Current assignee: Industrial and Commercial Bank of China Ltd ICBC
Priority date: 2023-01-28
Filing date: 2023-01-28
Publication date: 2023-05-02

Abstract

The disclosure provides a method and a device for verifying a database access request, electronic equipment and a storage medium, and can be applied to the technical field of networks and the financial field. The method comprises the following steps: responding to the received database access request, and processing target to-be-processed information indicated by the database access request to obtain a target abstract syntax tree corresponding to the target to-be-processed information, wherein the target to-be-processed information belongs to a structured query language; processing the target abstract syntax tree to obtain target element information corresponding to the target abstract syntax tree; verifying target element information according to a preset element information set to obtain a verification result, wherein the preset element information set comprises at least one preset element information; and refusing to execute the database access request under the condition that the verification result represents that the target element information and at least one piece of preset element information are not successfully matched.

Description

Verification method and device for database access request, electronic equipment and storage medium

Technical Field

The present disclosure relates to the field of network technology and finance, and more particularly, to a method and apparatus for verifying a database access request, an electronic device, a computer-readable storage medium, and a computer program product.

Background

With the development of network technology, structured query language (Structured QueryLanguage, SQL) has been widely used for accessing data and querying, updating and managing relational database systems. The structured query language has the functions of data definition, data manipulation, and data control. Web services may be implemented based on a structured query language.

In the process of implementing the disclosed concept, the inventor finds that at least the following problems exist in the related art: because the SQL injection detection in the related art has lower accuracy, the safety of Web services cannot be ensured.

Disclosure of Invention

In view of this, the present disclosure provides a method and apparatus for verifying a database access request, an electronic device, a computer-readable storage medium, and a computer program product.

According to one aspect of the present disclosure, there is provided a method of verifying a database access request, including:

responding to a received database access request, and processing target to-be-processed information indicated by the database access request to obtain a target abstract syntax tree corresponding to the target to-be-processed information, wherein the target to-be-processed information belongs to a structured query language;

Processing the target abstract syntax tree to obtain target element information corresponding to the target abstract syntax tree;

verifying the target element information according to a preset element information set to obtain a verification result, wherein the preset element information set comprises at least one preset element information; and

and refusing to execute the database access request under the condition that the verification result indicates that the target element information and the at least one preset element information are not successfully matched.

According to an embodiment of the present disclosure, the above-described preset element information set is constructed by:

at least one piece of information to be processed is obtained from a data source, wherein the data source comprises at least one of the following: the information to be processed belongs to a structured query language format;

processing the at least one piece of information to be processed respectively to obtain abstract syntax trees corresponding to the at least one piece of information to be processed respectively;

respectively processing abstract syntax trees corresponding to the at least one piece of information to be processed to obtain preset element information corresponding to the at least one piece of information to be processed; and

And constructing the preset element information set according to the preset element information corresponding to each piece of the at least one piece of information to be processed.

According to an embodiment of the present disclosure, the constructing the preset element information set according to preset element information corresponding to each of the at least one piece of information to be processed includes:

respectively extracting features of the at least one piece of preset element information to obtain respective preset element feature information of the at least one piece of preset element information; and

and constructing the preset element information set according to the preset element characteristic information of each preset element information.

According to an embodiment of the present disclosure, the verifying the target element information according to the preset element information set, and obtaining a verification result includes:

extracting features of the target element information to obtain target element feature information corresponding to the target element information;

determining the similarity between the target element characteristic information and the at least one preset element characteristic information to obtain at least one similarity;

for each of the at least one similarity,

determining the verification result representing successful matching of the target element information and the preset element information under the condition that the similarity is greater than or equal to a preset similarity threshold value; and

And under the condition that the similarity is smaller than a preset similarity threshold, determining the verification result which represents that the target element information is not successfully matched with the preset element information.

According to an embodiment of the present disclosure, the processing, in response to receiving a database access request, target to-be-processed information indicated by the database access request, to obtain a target abstract syntax tree corresponding to the target to-be-processed information includes:

responding to the received database access request, and acquiring the target information to be processed;

performing lexical analysis processing on the target information to be processed to obtain target intermediate information; and

and carrying out grammar analysis processing on the target intermediate information to obtain the target abstract grammar tree.

According to an embodiment of the present disclosure, the target abstract syntax tree comprises at least one of: a first preset field and a second preset field.

According to an embodiment of the present disclosure, the processing the target abstract syntax tree to obtain target element information corresponding to the target abstract syntax tree includes:

processing at least one of the first preset field and the second preset field to obtain intermediate element information; and

And determining the target element information based on the intermediate element information.

According to an embodiment of the present disclosure, in a case where the target abstract syntax tree includes the first preset field, the processing at least one of the first preset field and the second preset field to obtain the intermediate element information includes:

and carrying out reservation processing on the first preset field according to a preset reservation rule to obtain first intermediate element information.

According to an embodiment of the present disclosure, in a case where the target abstract syntax tree further includes the second preset field, the processing at least one of the first preset field and the second preset field to obtain intermediate element information includes:

and carrying out replacement processing on the second preset field according to a preset replacement rule to obtain second intermediate element information. According to an embodiment of the present disclosure, the above method further includes:

and under the condition that the verification result represents that the target element information is successfully matched with any preset element information in the at least one preset element information, the database access request is permitted to be executed.

According to another aspect of the present disclosure, there is provided an authentication apparatus of a database access request, including:

The first processing module is used for responding to the received database access request, processing target to-be-processed information indicated by the database access request to obtain a target abstract syntax tree corresponding to the target to-be-processed information, wherein the target to-be-processed information belongs to a structured query language;

the second processing module is used for processing the target abstract syntax tree to obtain target element information corresponding to the target abstract syntax tree;

the verification module is used for verifying the target element information according to a preset element information set to obtain a verification result, wherein the preset element information set comprises at least one preset element information; and

and the rejecting module is used for rejecting the database access request to be executed under the condition that the verification result indicates that the target element information and the at least one preset element information are not successfully matched.

According to another aspect of the present disclosure, there is provided an electronic device including:

one or more processors;

a memory for storing one or more instructions,

wherein the one or more instructions, when executed by the one or more processors, cause the one or more processors to implement a method as described in the present disclosure.

According to another aspect of the present disclosure, there is provided a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to implement a method as described in the present disclosure.

According to another aspect of the present disclosure, there is provided a computer program product comprising computer executable instructions which, when executed, are adapted to carry out the method as described in the present disclosure.

According to the embodiment of the disclosure, since the target element information is obtained by processing the target abstract syntax tree, and the target abstract syntax tree is obtained by processing the target to-be-processed information indicated by the database access request, the target element information can characterize the content to be focused in the target to-be-processed information. On the basis, the verification result is obtained by verifying the target element information according to the preset element information set, so that the accuracy of database access request verification can be improved, the technical problem that the safety of Web service cannot be ensured due to lower accuracy of SQL injection detection in the related art is at least partially solved, and the safety of database access is further ensured.

Drawings

The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments thereof with reference to the accompanying drawings in which:

FIG. 1 schematically illustrates a system architecture to which a method of verification of database access requests may be applied, according to an embodiment of the present disclosure;

FIG. 2 schematically illustrates a flow chart of a method of validating a database access request, in accordance with an embodiment of the disclosure;

FIG. 3 schematically illustrates a flowchart of a method of constructing a set of preset element information in accordance with an embodiment of the present disclosure;

FIG. 4 schematically illustrates a flow chart of a method of processing a target abstract syntax tree to obtain target element information corresponding to the target abstract syntax tree, according to an embodiment of the disclosure;

fig. 5 schematically illustrates a flowchart of a method for verifying target element information according to a preset element information set to obtain a verification result according to an embodiment of the present disclosure;

FIG. 6 schematically illustrates an example schematic diagram of a validation process of a database access request according to an embodiment of the disclosure;

FIG. 7 schematically illustrates a block diagram of a verification apparatus of a database access request, according to an embodiment of the disclosure; and

fig. 8 schematically illustrates a block diagram of an electronic device adapted to implement a method of authentication of a database access request, according to an embodiment of the disclosure.

Detailed Description

Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.

The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.

All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.

Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a formulation similar to at least one of "A, B or C, etc." is used, in general such a formulation should be interpreted in accordance with the ordinary understanding of one skilled in the art (e.g. "a system with at least one of A, B or C" would include but not be limited to systems with a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).

In the technical scheme of the disclosure, the acquisition, storage, application and the like of the related personal information of the user all conform to the regulations of related laws and regulations, necessary security measures are taken, and the public order harmony is not violated.

In the technical scheme of the disclosure, the authorization or consent of the user is obtained before the personal information of the user is obtained or acquired.

The structured query language pertains to database query and programming languages. The structured query language may include at least one of: data query language (Data Query Language, DQL), data operation language (Data Manipulation Language, DML), transaction control language (Transaction Control Language, TCL), data control language (Data Control Language, DCL), data definition language (Data Language Definition, DDL), and pointer control language (Cursor Control Language, CCL).

SQL injection attacks may refer to a query string that enters a domain or page request. Because in some forms, user-entered content may be used to construct or influence dynamic SQL commands, or may be an input parameter to a stored procedure, it is easy to cause a server to execute an injected attack SQL command.

In order to at least partially solve the technical problems in the related art, the present disclosure provides a method and apparatus for verifying a database access request, an electronic device, and a storage medium, which can be applied to the network technical field and the financial field. The method comprises the following steps: responding to the received database access request, and processing target to-be-processed information indicated by the database access request to obtain a target abstract syntax tree corresponding to the target to-be-processed information, wherein the target to-be-processed information belongs to a structured query language; processing the target abstract syntax tree to obtain target element information corresponding to the target abstract syntax tree; verifying target element information according to a preset element information set to obtain a verification result, wherein the preset element information set comprises at least one preset element information; and refusing to execute the database access request under the condition that the verification result represents that the target element information and at least one piece of preset element information are not successfully matched.

It should be noted that the method and the device for verifying the database access request provided by the embodiments of the present disclosure may be used in the network technical field and the financial field, for example, in the computer technical field. The method and the device for verifying the database access request provided by the embodiment of the disclosure can also be applied to any field except the network technical field and the financial field, for example, the database technical field. The application fields of the method and the device for verifying the database access request provided by the embodiment of the disclosure are not limited.

Fig. 1 schematically illustrates a system architecture to which a method of authentication of a database access request may be applied according to an embodiment of the present disclosure. It should be noted that fig. 1 is only an example of a system architecture to which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, but does not mean that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios.

As shown in fig. 1, a system architecture 100 according to this embodiment may include a first terminal device 101, a second terminal device 102, a third terminal device 103, a network 104, and a server 105. The network 104 is a medium used to provide a communication link between the first terminal device 101, the second terminal device 102, the third terminal device 103, and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.

The user may interact with the server 105 through the network 104 using at least one of the first terminal device 101, the second terminal device 102, the third terminal device 103, to receive or send messages, etc. Various communication client applications, such as a shopping class application, a web browser application, a search class application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only) may be installed on the first terminal device 101, the second terminal device 102, and the third terminal device 103.

The first terminal device 101, the second terminal device 102, the third terminal device 103 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, laptop and desktop computers, and the like.

The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by the user using the first terminal device 101, the second terminal device 102, and the third terminal device 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.

It should be noted that, the method for verifying a database access request provided by the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the verification device for database access requests provided by the embodiments of the present disclosure may be generally disposed in the server 105. The method for verifying a database access request provided by the embodiments of the present disclosure may also be performed by a server or a server cluster that is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103, and/or the server 105. Accordingly, the verification apparatus of the database access request provided by the embodiments of the present disclosure may also be provided in a server or a server cluster, which is different from the server 105 and is capable of communicating with the first terminal device 101, the second terminal device 102, the third terminal device 103 and/or the server 105.

Alternatively, the method for verifying the database access request provided by the embodiment of the present disclosure may also be performed by the first terminal device 101, the second terminal device 102, or the third terminal device 103, or may also be performed by other terminal devices different from the first terminal device 101, the second terminal device 102, or the third terminal device 103. Accordingly, the verification apparatus for a database access request provided in the embodiments of the present disclosure may also be provided in the first terminal device 101, the second terminal device 102, or the third terminal device 103, or in other terminal devices different from the first terminal device 101, the second terminal device 102, or the third terminal device 103.

For example, the preset element information set may be originally stored in any one of the

terminal devices

101, 102, or 103 (for example, but not limited to, the terminal device 101), or stored on an external storage device and may be imported into the terminal device 101. Then, the terminal device 101 may locally perform the method for verifying a database access request provided by the embodiment of the present disclosure, or send the preset element information set to other terminal devices, servers, or server clusters, and perform the method for verifying a database access request provided by the embodiment of the present disclosure by other terminal devices, servers, or server clusters that receive the preset element information set.

It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.

It should be noted that the sequence numbers of the respective operations in the following methods are merely representative of the operations for the purpose of description, and should not be construed as representing the order of execution of the respective operations. The method need not be performed in the exact order shown unless explicitly stated.

Fig. 2 schematically illustrates a flowchart of a method of validating a database access request, according to an embodiment of the disclosure.

As shown in fig. 2, the method 200 of verifying a database access request includes operations S210 to S240.

In operation S210, in response to receiving the database access request, processing the target to-be-processed information indicated by the database access request, to obtain a target abstract syntax tree corresponding to the target to-be-processed information, where the target to-be-processed information belongs to the structured query language.

In operation S220, the target abstract syntax tree is processed to obtain target element information corresponding to the target abstract syntax tree.

In operation S230, the target element information is verified according to a preset element information set, so as to obtain a verification result, where the preset element information set includes at least one preset element information.

In operation S240, if the verification result indicates that none of the target element information and the at least one preset element information is successfully matched, the database access request is refused to be executed.

According to the embodiment of the disclosure, a code for generating a database access request may be written in a first script in advance, and in response to detecting a database access operation performed by a target user using a user terminal, the target terminal may run the first script to generate a database access request message, and may send the database access request message to a server, so that the server may verify a database access request corresponding to the database access operation according to the database access request message.

According to an embodiment of the present disclosure, alternatively, an interceptor may be configured in a WEB system so as to intercept a database access request to be executed in a server with the interceptor. For example, the object code of the interceptor may be configured to intercept the specified parameters contained in the database access request to be executed in the server. By arranging the interceptor in the system and intercepting the database access request by using the interceptor, the security of database access can be ensured.

According to the embodiment of the disclosure, in response to receiving a database access instruction, target to-be-processed information and a preset element information set can be acquired from a data source. The data source may include at least one of: local databases, cloud databases, and network resources. The set of preset element information may include at least one preset element information. The target information to be processed and the at least one preset element information may belong to a structured query language format. For example, a data interface may be invoked. And acquiring target information to be processed and a preset element information set from a data source by utilizing a data interface.

According to the embodiment of the disclosure, after the target to-be-processed information is obtained, the target to-be-processed information can be processed to obtain the target abstract syntax tree corresponding to the target to-be-processed information. The processing mode of the target to-be-processed information can comprise at least one of the following: lexical analysis processing and grammatical analysis processing. For example, lexical analysis processing may be performed on the target information to be processed to obtain a target abstract syntax tree. Alternatively, the target information to be processed may be parsed to obtain a target abstract syntax tree. Alternatively, the target information to be processed is subjected to lexical analysis and grammar analysis to obtain a target abstract grammar tree.

According to the embodiment of the disclosure, after the target abstract syntax tree is obtained, the target abstract syntax tree may be processed to obtain target element information corresponding to the target abstract syntax tree. The target element information may be used to characterize feature information of a portion of the target fields in the target abstract syntax tree. The processing manner of the target abstract syntax tree may comprise at least one of the following: replacement processing and reservation processing. For example, the target abstract syntax tree may be subjected to replacement processing to obtain target element information. Alternatively, the target abstract syntax tree may be subjected to a reservation process to obtain target element information. Alternatively, substitution processing and retention processing may be performed on the target abstract syntax tree to obtain target element information.

According to the embodiment of the disclosure, after the target element information is obtained, the target element information can be verified according to the preset element information set, so that a verification result is obtained. The set of preset element information may include at least one preset element information. The preset element information may be used to characterize characteristic information of a part of preset fields in the preset abstract syntax tree. The target element information can be verified according to at least one piece of preset element information, and a verification result is obtained. The verification result may be used to characterize whether the target element information and the at least one preset element information are successfully matched.

According to the embodiment of the disclosure, the specific form of the preset element information set may be configured according to the actual service requirement, which is not limited herein. For example, the preset element information set may be a secure element information set, in which case, the target element information may be verified according to at least one secure element information, to obtain a first verification result. And under the condition that the first verification result represents that the target element information and the at least one piece of security element information are not successfully matched, refusing to execute the database access request. The database access request may be permitted to be executed if the first verification result characterizes that the target element information is successfully matched with any of the at least one piece of security element information.

Alternatively, the preset element information set may be a question element information set, in which case, the target element information may be verified according to at least one question element information, to obtain a second verification result. And under the condition that the second verification result represents that the target element information is successfully matched with any problem element information in the at least one problem element information, refusing to execute the database access request. And under the condition that the second verification result represents that the target element information and the at least one piece of problem element information are not successfully matched, the database access request can be permitted to be executed.

A method 200 of verifying a database access request according to an embodiment of the present invention is further described below with reference to fig. 3-6.

According to an embodiment of the present disclosure, the preset element information set may be constructed in the following manner.

At least one piece of information to be processed is obtained from a data source, wherein the data source comprises at least one of the following: the information to be processed belongs to the structured query language format. And respectively processing the at least one piece of information to be processed to obtain abstract syntax trees corresponding to the at least one piece of information to be processed. And respectively processing the abstract syntax trees corresponding to the at least one piece of information to be processed to obtain preset element information corresponding to the at least one piece of information to be processed. And constructing a preset element information set according to the preset element information corresponding to each piece of at least one piece of information to be processed.

According to embodiments of the present disclosure, at least one piece of information to be processed may be obtained from a data source. The information to be processed may be in a structured query language format. The data source may include at least one of: database, configuration files and program files. For example, the at least one piece of information to be processed may include information to be processed 1, information to be processed 2, information to be processed N. N may be an integer greater than or equal to 1, N ε {1,2, … …, (N-1), N }.

According to embodiments of the present disclosure, the database may include a relational database, such as Oracle, SQLServer, sybase, informix, access, DB or mysql, or the like. The database may also include non-relational databases, such as Hbase, cassandra, simpleDB, couchDB, mongoDB or Redis, etc.

According to an embodiment of the present disclosure, at least one piece of information to be processed may be acquired through a test environment database. For example, oracle may obtain recently run SQL through a V$ SQL view, and MYSQL may run SQL through BINLOG.

According to the embodiment of the disclosure, at least one piece of information to be processed can be acquired through a code. The SQL of the code is typically stored in a program file or configuration file prior to compilation. The configuration file may include a structured storage file, such as an extensible markup language (Extensible Markup Language, XML) file. The program files may include Java code files.

Taking the example that the extensible markup language file is "< SQL > SELECT user_name FROM ctp_user_user_id= $var </SQL >", the method can extract SQL in the < SQL > tag by parsing the extensible markup language file and process $var into 'var' to obtain the information to be processed.

According to an embodiment of the present disclosure, taking a Java code file as an example of "cs.excutequery (" SELECT user_name FROM ctp_user_id=' + "var" + "), the SQL statement in the program may be extracted by the AST of Java to obtain the information to be processed.

According to the embodiment of the disclosure, after at least one piece of information to be processed is obtained, the at least one piece of information to be processed may be processed respectively, so as to obtain abstract syntax trees corresponding to the at least one piece of information to be processed respectively. The processing manner of the at least one information to be processed may include at least one of: lexical analysis processing and grammatical analysis processing. For example, the information to be processed 1 may be processed to obtain the abstract syntax tree 1. The information to be processed 2 may be processed resulting in an abstract syntax tree 2. By such pushing, the information n to be processed can be processed to obtain an abstract syntax tree n. By such pushing, the information to be processed N can be processed to obtain the abstract syntax tree N.

According to the embodiment of the disclosure, after the abstract syntax trees corresponding to the at least one piece of information to be processed are obtained, the at least one abstract syntax tree may be processed respectively to obtain the preset element information corresponding to the at least one piece of information to be processed. The processing manner of the abstract syntax tree may comprise at least one of the following: replacement processing and reservation processing. For example, the abstract syntax tree 1 may be processed to obtain the preset element information 1. The abstract syntax tree 2 may be processed to obtain the preset element information 2. Similarly, the abstract syntax tree n can be processed to obtain the preset element information n. Similarly, the abstract syntax tree N may be processed to obtain the preset element information N.

According to the embodiment of the disclosure, after the preset element information corresponding to each of the at least one piece of information to be processed is obtained, a preset element information set may be constructed according to the preset element information corresponding to each of the at least one piece of information to be processed.

According to the embodiment of the disclosure, since the preset element information is obtained by processing the preset element information and at least one abstract syntax tree respectively, and the abstract syntax tree is obtained by processing at least one piece of information to be processed respectively, the preset element information can characterize the content of interest in the at least one piece of information to be processed. On the basis, the preset element information set is constructed according to the preset element information corresponding to at least one piece of information to be processed, so that the efficiency and the accuracy of verification of the database access request can be improved, and the safety of database access is further ensured.

According to an embodiment of the present disclosure, constructing a preset element information set according to preset element information corresponding to each of at least one piece of information to be processed may include the following operations.

And respectively extracting the characteristics of at least one piece of preset element information to obtain the respective preset element characteristic information of the at least one piece of preset element information. And constructing a preset element information set according to the respective preset element characteristic information of the at least one preset element information.

According to an embodiment of the present disclosure, the preset element information set may include at least one preset element information. For example, the preset element information set may be stored through an object. Alternatively, the set of preset element information may be stored through text. Alternatively, the set of preset element information may be stored by a set of vectors.

According to the embodiment of the disclosure, after at least one piece of preset element information is obtained, for the preset element information in the at least one piece of preset element information, feature extraction may be performed on the preset element information by using the first text processing model, so as to obtain preset element feature information. The first text processing model may be a result of training the first preset model using the first training sample set and the first label set.

For example, the first training sample set may be input into a first preset model, to obtain preset element feature information of the first training sample set. And inputting the preset element characteristic information of the first training sample set and the first label set into a first loss function to obtain a first loss function value. And adjusting model parameters of the first preset model according to the first loss function value until a preset ending condition is met. And determining a first preset model obtained when the preset ending condition is met as a first text processing model.

According to the embodiment of the disclosure, after the at least one preset element feature information is obtained, a preset element information set may be constructed according to the respective preset element feature information of the at least one preset element information. For example, the preset element information set may be { "SELECT user_name FROM ctp_user_user_id=string constant" }.

Fig. 3 schematically illustrates a flowchart of a method of constructing a preset element information set according to an embodiment of the present disclosure.

As shown in fig. 3, in 300, at least one piece of information to be processed 301 may include information to be processed 301_1, information to be processed 301_2,... M may be an integer greater than or equal to 1, M e {1, 2.,. (M-1), M }.

After obtaining the at least one piece of information to be processed 301, the information to be processed 301_1 may be processed, resulting in an abstract syntax tree 302_1. The information to be processed 301_2 may be processed to obtain an abstract syntax tree 302_2. With such a push, the information to be processed 301_m may be processed, resulting in an abstract syntax tree 301_m. With such a push, the information to be processed 301_m can be processed, resulting in an abstract syntax tree 301_m.

After obtaining the at least one abstract syntax tree, the abstract syntax tree 302_1 may be processed to obtain the preset element information 303_1. The abstract syntax tree 302_2 may be processed to obtain the preset element information 303_2. Similarly, the abstract syntax tree 302_m may be processed to obtain the preset element information 303_m. Similarly, the abstract syntax tree 302_m may be processed to obtain the preset element information 303_m.

After obtaining the at least one preset element information, feature extraction may be performed on the preset element information 303_1 to obtain preset element feature information 304_1. The preset element information 303_2 may be subjected to feature extraction, to obtain preset element feature information 304_2. Similarly, feature extraction can be performed on the preset element information 303_m to obtain preset element feature information 304_m. Similarly, the feature extraction may be performed on the preset element information 303_m to obtain preset element feature information 304_m.

After obtaining the at least one preset element feature information, the preset element feature information 304_m, and the preset element feature information 304_m may be according to the preset element feature information 304_1, the preset element feature information 304_2, and. A preset element information set 305 is constructed.

According to an embodiment of the present disclosure, operation S210 may include the following operations.

And responding to the received database access request, and acquiring target information to be processed. And performing lexical analysis processing on the target information to be processed to obtain target intermediate information. And carrying out grammar analysis processing on the target intermediate information to obtain a target abstract grammar tree.

According to embodiments of the present disclosure, in response to receiving a database access instruction, target pending information may be obtained from a data source. The target pending information may include at least one command statement. The command statement may include at least one of: SELECT, FROM, WHERE, AND, OR, GROUP BY, HAVING and ORDER BY. After the target information to be processed is obtained, lexical analysis processing can be performed on the target information to be processed to obtain target intermediate information. The target intermediate information can be used for representing target information to be processed after lexical analysis processing.

According to the embodiment of the disclosure, after the target intermediate information is obtained, the target intermediate information may be subjected to syntax analysis processing to obtain a target abstract syntax tree. The target abstract syntax tree can be used for representing target to-be-processed information after lexical analysis processing and syntax analysis processing.

For example, taking the target to-be-processed information as "SELECT user_name FROM ctp_user_id= '1234'" as an example, after performing lexical analysis processing and syntax analysis processing on the target to-be-processed information, a target abstract syntax tree may be obtained. The target abstract syntax tree may include a selection field: SELECT user_name, selection table: FROM ctp_user, screening conditions: WHERE, left constant: user_id, operator: =sum right constant: '1234'.

According to the embodiment of the disclosure, the target abstract syntax tree is obtained by performing syntax analysis processing on the target intermediate information, and the target intermediate information is obtained by performing lexical analysis processing on the target information to be processed, so that the target abstract syntax tree corresponding to the target information to be processed can be obtained, and the efficiency of database access request verification is improved.

According to an embodiment of the present disclosure, operation S220 may include the following operations.

And processing at least one of the first preset field and the second preset field to obtain intermediate element information. Target element information is determined from the intermediate element information.

According to the embodiment of the present disclosure, the first preset field and the second preset field may be set according to actual service requirements, which is not limited herein. The first preset field may be used to characterize the field to be reserved. The first preset field may include at least one of: select field, select table, filter condition, left constant, and operator. The second preset field may be used for the field to be replaced. The second preset field may include at least one of: numbers and right constants.

According to the embodiment of the disclosure, field detection can be performed on the target abstract syntax tree according to the first preset field and the second preset field, so as to obtain a first detection result. And determining a preset rule corresponding to the first detection result according to the first detection result. And processing the first detection result based on the preset rule to obtain the intermediate element information. The preset rules may include at least one of: preset reservation rules and preset replacement rules. The intermediate element information may include at least one of: first intermediate element information and second intermediate element information.

According to the embodiment of the present disclosure, after the intermediate element information is obtained, the target element information may be determined from the intermediate element information. For example, in the case where the intermediate element information includes the first intermediate element information, the first intermediate element information may be directly determined as the target element information. Alternatively, in the case where the intermediate element information includes the second intermediate element information, the second intermediate element information may be directly determined as the target element information. Alternatively, in the case where the intermediate element information includes the first intermediate element information and the second intermediate element information, the first intermediate element information and the second intermediate element information may be combined to obtain the target element information.

According to an embodiment of the present disclosure, in a case where the target abstract syntax tree includes a first preset field, processing at least one of the first preset field and the second preset field, obtaining the intermediate element information may include the following operations.

And according to a preset reservation rule, reserving the first preset field to obtain first intermediate element information.

According to an embodiment of the present disclosure, in a case where the target abstract syntax tree further includes a second preset field, processing at least one of the first preset field and the second preset field, obtaining the intermediate element information may include the following operations.

And carrying out replacement processing on the second preset field according to a preset replacement rule to obtain second intermediate element information.

According to the embodiment of the disclosure, the target abstract syntax tree can be detected, and a second detection result is obtained. Under the condition that the second detection result representation target abstract syntax tree comprises a first preset field, the first preset field can be reserved according to a preset reservation rule, and first intermediate element information is obtained. The preset retention rules may be used to retain content that does not belong to the business input. The preset reservation rules may be configured according to actual service requirements, and are not limited herein. For example, the preset reservation rule may be set to reserve the first preset field.

According to the embodiment of the disclosure, when the second detection result representation target abstract syntax tree includes a second preset field, substitution processing may be performed on the second preset field according to a preset substitution rule, so as to obtain second intermediate element information. The preset replacement rules may be used to remove content that may belong to the business input. The preset replacement rules may be configured according to actual service requirements, and are not limited herein. For example, the preset replacement rule may be set to replace the second preset field with the third preset field.

For example, including select fields in the target abstract syntax tree: SELECT user_name, selection table: FROM ctp_user, screening conditions: WHERE, left constant: user_id, operator: =sum right constant: '1234', the second preset field includes a right constant, and the second preset field includes a selection field, a selection table, a filtering condition, a left constant, and an operator, in which case, the first preset field may be replaced with a third preset field, that is, a right constant, according to a preset replacement rule: and the character string constant is used for reserving the second preset field according to a preset reservation rule. On the basis, the target element information is 'SELECT user_name FROM ctp_user_user_id=string constant':

according to the embodiment of the disclosure, since the first intermediate element information is obtained by performing replacement processing on the first preset field according to the preset replacement rule, and the second intermediate element information is obtained by performing reservation processing on the second preset field according to the preset reservation rule, contents possibly belonging to service input can be removed, and therefore efficiency and accuracy of database access request processing can be ensured. On the basis, the target element information is determined according to the first intermediate element information and the second intermediate element information, so that the safety of database access is ensured.

Fig. 4 schematically illustrates a flowchart of a method for processing a target abstract syntax tree to obtain target element information corresponding to the target abstract syntax tree according to an embodiment of the disclosure.

As shown in fig. 4, in 400, in response to receiving a database access request 401, target pending information 402 may be obtained. After the target to-be-processed information 402 is obtained, lexical analysis processing may be performed on the target to-be-processed information 402 to obtain target intermediate information 403. After obtaining the target intermediate information 403, the target intermediate information 403 may be parsed to obtain a target abstract syntax tree 404. After obtaining the target abstract syntax tree 404, operation S410 may be performed.

In operation S410, the target abstract syntax tree includes a first preset field? If so, the first preset field may be subjected to a replacement process according to a preset replacement rule, so as to obtain first intermediate element information 405. If not, operation S420 may be performed.

In operation S420, the target abstract syntax tree includes a second preset field? If not, execution of the target element information determination operation may end. If so, the second preset field may be reserved according to a preset replacement rule, so as to obtain second intermediate element information 406.

After the first intermediate element information 405 and/or the second intermediate element information 406 are obtained, the target element information 407 may be determined from the first intermediate element information 405 and/or the second intermediate element information 406.

According to an embodiment of the present disclosure, operation S230 may include the following operations.

And extracting the characteristics of the target element information to obtain target element characteristic information corresponding to the target element information. And determining the similarity between the target element characteristic information and at least one piece of preset element characteristic information to obtain at least one similarity. And determining a verification result of successful matching of the characterization target element information and the preset element information according to each similarity in the at least one similarity under the condition that the similarity is larger than or equal to a preset similarity threshold value. And under the condition that the similarity is smaller than a preset similarity threshold, determining a verification result that the characteristic target element information is not successfully matched with the preset element information.

According to the embodiment of the disclosure, after the target element information is obtained, the second text processing model may be used to perform feature extraction on the target element information to obtain the target element feature information. The second text processing model may be trained on a second preset model using a second training sample set and a second label set. The first text processing model and the second text processing model may be configured according to actual business requirements, and are not limited herein. For example, the first text processing model and the second text processing model may be the same or different.

For example, the second training sample set may be input into a second preset model, to obtain element feature information of the second training sample set. And inputting the element characteristic information of the second training sample set and the second label set into a second loss function to obtain a second loss function value. And adjusting model parameters of a second preset model according to the second loss function value until a preset ending condition is met. And determining a second preset model obtained when the preset ending condition is met as a second text processing model.

According to embodiments of the present disclosure, the similarity may be used to characterize a degree of similarity between the target element feature information and the preset element feature information. The relationship between the value of the similarity and the similarity degree may be configured according to the actual service requirement, which is not limited herein. For example, the larger the value of the similarity, the greater the degree of similarity between the target element feature information and the preset element feature information can be characterized. Conversely, the smaller the degree of similarity between the target element feature information and the preset element feature information. Alternatively, the smaller the value of the similarity, the greater the degree of similarity between the target element feature information and the preset element feature information may be characterized. Conversely, the smaller the degree of similarity between the target element feature information and the preset element feature information.

According to the embodiment of the disclosure, the similarity can be configured according to actual service requirements, and is not limited herein. For example, the similarity may include at least one of: a literal similarity-based method, a text similarity-based method, an entity similarity-based method, and the like. The method based on literal similarity may include at least one of: edit distance, dice coefficient, and Jaccard similarity, etc. The text similarity based method may include at least one of: cosine similarity, relative entropy, KL (Kullback-Leibler, KL) divergence, probability model similarity, and the like.

According to an embodiment of the present disclosure, after obtaining the at least one similarity, a relationship between the similarity and a predetermined similarity threshold may be determined for each of the at least one similarity. In the case that the similarity is greater than or equal to the predetermined similarity threshold, it may be determined that the matching of the target element information and the preset element information corresponding to the similarity is successful. In the case that the similarity is smaller than the predetermined similarity threshold, it may be determined that the target element information and the preset element information corresponding to the similarity are not successfully matched. The predetermined similarity threshold may be configured according to actual service requirements, and is not limited herein. For example, the predetermined similarity threshold may be set to 0.95.

According to the embodiment of the disclosure, since at least one similarity is determined according to the target element feature information and the preset element feature information, the target element feature information is obtained by feature extraction of the target element information, and thus the similarity can characterize the degree of similarity between the target element feature information and the preset element feature information. On the basis, the verification result is determined according to the relation between the similarity and the preset similarity threshold value, so that the accuracy of determining the verification result is improved, and the safety of database access is further guaranteed.

Fig. 5 schematically illustrates a flowchart of a method for verifying target element information according to a preset element information set to obtain a verification result according to an embodiment of the present disclosure.

As shown in fig. 5, in 500, feature extraction may be performed on the target element information 501 to obtain target element feature information 502 corresponding to the target element information 501.

After the target element feature information 502 is obtained, a degree of similarity between the target element feature information 502 and at least one preset element feature information 503 may be determined, resulting in at least one degree of similarity 504. After obtaining the at least one similarity 504, operation S510 may be performed.

In operation S510, the similarity is greater than or equal to a predetermined similarity threshold? If yes, a verification result that the characteristic target element information is successfully matched with the preset element information can be determined. If not, determining a verification result that the characteristic target element information is not successfully matched with the preset element information.

According to an embodiment of the present disclosure, the method 200 of verifying a database access request may further include the following operations.

And under the condition that the verification result represents that the target element information is successfully matched with any preset element information in the at least one preset element information, allowing the database access request to be executed.

According to the embodiment of the present disclosure, in the case that the target element information is not included in the preset element information set, that is, in the case that the target element information and any preset element information in at least one preset element information are both successfully matched, the current database access operation is considered to be a problem operation, and the execution of the database access request corresponding to the database access operation may be refused. Further, user information and request information corresponding to the database access operation may be recorded.

According to the embodiment of the present disclosure, in the case where the target element information is included in the preset element information set, that is, in the case where any preset element information in the target element information and at least one preset element information is successfully matched, the current database access operation is considered to be a normal operation, and the execution of the database access request corresponding to the database access operation may be permitted.

Fig. 6 schematically illustrates an example schematic diagram of a validation process of a database access request according to an embodiment of the disclosure.

As shown in fig. 6, in 600, in response to receiving a database access request 601, target pending information 602 may be obtained. After the target to-be-processed information 602 is obtained, lexical analysis processing may be performed on the target to-be-processed information 602 to obtain target intermediate information 603. After obtaining the target intermediate information 603, a parsing process may be performed on the target intermediate information 603 to obtain a target abstract syntax tree 604.

After obtaining the target abstract syntax tree 604, the target abstract syntax tree 604 may be processed to obtain target element information 605 corresponding to the target abstract syntax tree 604.

After the target element information 605 is obtained, the target element information 605 may be verified according to the preset element information set 606, to obtain a verification result 607. After obtaining the verification result 607, operation S610 may be performed.

In operation S610, the verification result indicates that none of the target element information and the at least one preset element information is successfully matched? If so, the database access request may be denied. If not, the database access request may be granted.

The above is only an exemplary embodiment, but not limited thereto, and other database access request verification methods known in the art may be included as long as the accuracy of database access request verification can be improved and the security of database access can be ensured.

Fig. 7 schematically illustrates a block diagram of a verification apparatus of a database access request according to an embodiment of the present disclosure.

As shown in fig. 7, the verification apparatus 700 of a database access request may include a first processing module 701, a second processing module 702, a verification module 703, and a rejection module 704.

The first processing module 701 is configured to process, in response to receiving the database access request, target to-be-processed information indicated by the database access request, to obtain a target abstract syntax tree corresponding to the target to-be-processed information, where the target to-be-processed information belongs to a structured query language.

The second processing module 702 is configured to process the target abstract syntax tree to obtain target element information corresponding to the target abstract syntax tree.

The verification module 703 is configured to verify the target element information according to a preset element information set, to obtain a verification result, where the preset element information set includes at least one preset element information.

And a rejecting module 704, configured to reject the execution of the database access request if the verification result indicates that none of the target element information and the at least one preset element information match successfully.

According to an embodiment of the present disclosure, the verification module 703 may include a feature extraction unit, a first determination unit, a second determination unit, and a third determination unit.

And the feature extraction unit is used for carrying out feature extraction on the target element information to obtain target element feature information corresponding to the target element information.

And the first determining unit is used for determining the similarity between the target element characteristic information and at least one preset element characteristic information to obtain at least one similarity.

For each of the at least one similarity,

and the second determining unit is used for determining a verification result of successful matching of the characterization target element information and the preset element information under the condition that the similarity is larger than or equal to a preset similarity threshold value.

And the third determining unit is used for determining a verification result that the characteristic target element information is not successfully matched with the preset element information under the condition that the similarity is smaller than a preset similarity threshold value.

According to an embodiment of the present disclosure, the first processing module 701 may include a first acquisition unit, a first processing unit, and a second processing unit.

The first acquisition unit is used for responding to the received database access request and acquiring target information to be processed.

The first processing unit is used for performing lexical analysis processing on the target information to be processed to obtain target intermediate information.

And the second processing unit is used for carrying out grammar analysis processing on the target intermediate information to obtain a target abstract grammar tree.

According to an embodiment of the present disclosure, the second processing module 702 may include a third processing unit and a fourth determining unit.

And the third processing unit is used for processing at least one of the first preset field and the second preset field to obtain intermediate element information.

And a fourth determining unit configured to determine the target element information according to the intermediate element information.

According to an embodiment of the present disclosure, in case the target abstract syntax tree comprises the first preset field, the third processing unit comprises a reserved processing subunit.

And the reservation processing subunit is used for performing reservation processing on the first preset field according to a preset reservation rule to obtain first intermediate element information.

According to an embodiment of the present disclosure, in case the target abstract syntax tree further comprises the second preset field, the third processing unit comprises a replacement processing subunit.

And the replacement processing subunit is used for carrying out replacement processing on the second preset field according to a preset replacement rule to obtain second intermediate element information.

According to an embodiment of the present disclosure, the second processing module 702 may further include a fifth determining unit.

And a fifth determining unit for determining the target element information based on the first intermediate element information and the second intermediate element information.

According to an embodiment of the present disclosure, the verification device 700 of the database access request may further include a license module.

And the permission module is used for permitting the database access request to be executed under the condition that the verification result represents that the target element information is successfully matched with any preset element information in the at least one preset element information.

Any number of modules, sub-modules, units, sub-units, or at least some of the functionality of any number of the sub-units according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented as split into multiple modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in any other reasonable manner of hardware or firmware that integrates or encapsulates the circuit, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be at least partially implemented as computer program modules, which when executed, may perform the corresponding functions.

For example, any of the first processing module 701, the second processing module 702, the authentication module 703, and the rejection module 704 may be combined in one module/unit/sub-unit, or any of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least some of the functionality of one or more of these modules/units/sub-units may be combined with at least some of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to embodiments of the present disclosure, at least one of the first processing module 701, the second processing module 702, the verification module 703 and the rejection module 704 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of three of software, hardware and firmware. Alternatively, at least one of the first processing module 701, the second processing module 702, the authentication module 703 and the rejection module 704 may be at least partially implemented as computer program modules which, when executed, may perform the respective functions.

It should be noted that, in the embodiment of the present disclosure, the portion of the verification device for a database access request corresponds to the portion of the verification method for a database access request in the embodiment of the present disclosure, and the description of the portion of the verification device for a database access request specifically refers to the portion of the verification method for a database access request, which is not described herein again.

Fig. 8 schematically illustrates a block diagram of an electronic device adapted to implement a method of authentication of a database access request, according to an embodiment of the disclosure. The electronic device shown in fig. 8 is merely an example and should not be construed to limit the functionality and scope of use of the disclosed embodiments.

As shown in fig. 8, a computer electronic device 800 according to an embodiment of the present disclosure includes a processor 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 809 into a Random Access Memory (RAM) 803. The processor 801 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 801 may also include on-board memory for caching purposes. The processor 801 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the disclosure.

In the RAM 803, various programs and data required for the operation of the electronic device 800 are stored. The processor 801, the ROM 802, and the RAM 803 are connected to each other by a bus 804. The processor 801 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 802 and/or the RAM 803. Note that the program may be stored in one or more memories other than the ROM 802 and the RAM 803. The processor 801 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.

According to an embodiment of the present disclosure, the electronic device 800 may also include an input/output (I/O) interface 805, the input/output (I/O) interface 805 also being connected to the bus 804. The electronic device 800 may also include one or more of the following components connected to the I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.

According to embodiments of the present disclosure, the method flow according to embodiments of the present disclosure may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 801. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.

According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 802 and/or RAM803 and/or one or more memories other than ROM 802 and RAM803 described above.

Embodiments of the present disclosure also include a computer program product comprising a computer program comprising program code for performing the method provided by the embodiments of the present disclosure, the program code for causing an electronic device to implement the method of verifying a database access request provided by the embodiments of the present disclosure when the computer program product is run on the electronic device.

The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 801. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.

In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, and/or from a removable medium 811 via a communication portion 809. The computer program may include program code that may be transmitted using any appropriate network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be combined in various combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.

The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims

1. A method of validating a database access request, comprising:

And refusing to execute the database access request under the condition that the verification result characterizes that the target element information is not successfully matched with the at least one preset element information.

2. The method of claim 1, wherein the set of pre-set element information is constructed by:

and constructing the preset element information set according to the preset element information corresponding to each piece of at least one piece of information to be processed.

3. The method according to claim 2, wherein the constructing the preset element information set according to preset element information corresponding to each of the at least one piece of information to be processed includes:

and constructing the preset element information set according to the respective preset element characteristic information of the at least one preset element information.

4. The method according to claim 3, wherein the verifying the target element information according to the preset element information set, and obtaining a verification result includes:

extracting the characteristics of the target element information to obtain target element characteristic information corresponding to the target element information;

for each of the at least one similarity,

determining the verification result representing successful matching of the target element information and the preset element information under the condition that the similarity is larger than or equal to a preset similarity threshold; and

5. The method according to any one of claims 1 to 4, wherein, in response to receiving a database access request, processing target to-be-processed information indicated by the database access request, to obtain a target abstract syntax tree corresponding to the target to-be-processed information includes:

6. The method of any of claims 1-4, wherein the target abstract syntax tree comprises at least one of: a first preset field and a second preset field;

the processing the target abstract syntax tree to obtain target element information corresponding to the target abstract syntax tree comprises the following steps:

and determining the target element information according to the intermediate element information.

7. The method of claim 6, wherein,

In the case that the target abstract syntax tree includes the first preset field, the processing at least one of the first preset field and the second preset field to obtain intermediate element information includes:

according to a preset reservation rule, reserving the first preset field to obtain first intermediate element information; and

in the case that the target abstract syntax tree further includes the second preset field, the processing at least one of the first preset field and the second preset field to obtain intermediate element information includes:

8. The method of any one of claims 1 to 4, further comprising:

9. A database access request verification apparatus, comprising:

the first processing module is used for responding to a received database access request, processing target to-be-processed information indicated by the database access request, and obtaining a target abstract syntax tree corresponding to the target to-be-processed information, wherein the target to-be-processed information belongs to a structured query language;

and the rejecting module is used for rejecting the database access request to be executed under the condition that the verification result represents that the target element information and the at least one preset element information are not successfully matched.

10. An electronic device, comprising:

one or more processors;

a memory for storing one or more instructions,

wherein the one or more instructions, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1 to 8.

11. A computer readable storage medium having stored thereon executable instructions which when executed by a processor cause the processor to implement the method of any of claims 1 to 8.

12. A computer program product comprising computer executable instructions for implementing the method of any one of claims 1 to 8 when executed.