CN117033445A - Full-secret database cost transfer method, device, equipment and storage medium - Google Patents

Full-secret database cost transfer method, device, equipment and storage medium Download PDF

Info

Publication number
CN117033445A
CN117033445A CN202311040447.7A CN202311040447A CN117033445A CN 117033445 A CN117033445 A CN 117033445A CN 202311040447 A CN202311040447 A CN 202311040447A CN 117033445 A CN117033445 A CN 117033445A
Authority
CN
China
Prior art keywords
full
statement
constant
information
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311040447.7A
Other languages
Chinese (zh)
Inventor
郭琰
冯岳松
韩朱忠
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Dameng Database Co Ltd
Original Assignee
Shanghai Dameng Database Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Dameng Database Co Ltd filed Critical Shanghai Dameng Database Co Ltd
Priority to CN202311040447.7A priority Critical patent/CN117033445A/en
Publication of CN117033445A publication Critical patent/CN117033445A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention discloses a full-secret database cost transfer method, device, equipment and storage medium. Comprising the following steps: acquiring an initial Structured Query Language (SQL) statement; replacing constant data in the initial SQL sentence with constant marks to obtain an SQL sentence to be executed; the SQL statement to be executed is sent to a server, and statement analysis information returned by the server is received; and sending response information comprising real data or encrypted data corresponding to the constant marks to the server according to the statement analysis information so as to enable the server to execute the SQL statement to be executed. According to the method, constant data in an initial SQL statement is replaced by constant marks, the replaced SQL statement is sent to a server, and the SQL statement is analyzed, so that whether the constant data needs to be encrypted or not is determined to be transferred to the server, and the overall performance of the full-secret database can be improved by utilizing the higher hardware performance of the server.

Description

Full-secret database cost transfer method, device, equipment and storage medium
Technical Field
The embodiment of the invention relates to the technical field of information security, in particular to a full-secret database cost transfer method, device and equipment and a storage medium.
Background
In the full-secret database, a user can specify that the columns of the table are full-secret encryption columns, and the column data always exists in the form of ciphertext in various links such as transmission, calculation, storage and the like, so that the security of the data can be greatly improved. The full-secret database divides the lifecycle domain of data into a trusted domain and an untrusted domain. The trusted domain is typically a database client, an upper layer user program, etc., where data is considered secure, can be decrypted and the plaintext information exposed. The untrusted domain is usually a network transmission environment, a database server and comprises a memory and a hard disk of the server, and the data must exist in the form of ciphertext in the untrusted domain all the way, otherwise, the private data leakage is considered to occur.
In most database application scenes, the front end of the database in the trusted domain generally has no good hardware configuration such as computing power, memory capacity and the like, such as web services only providing data display functions, middleware for calling a database interface and the like. While database servers in the untrusted domain have a strong hardware performance. However, a large amount of work in the full-secret database is completed at the front end of the database, the analysis of SQL sentences by the front end of the database can cause the front end program of the database to occupy a large amount of memory space and consume a large amount of time, and meanwhile, the poor computing power of the front end of the database can also cause the poor overall performance of the full-secret database.
Disclosure of Invention
The invention provides a cost transfer method, device and equipment for a full-secret database and a storage medium, which are used for solving the problem of poor overall performance of the full-secret database in the prior art.
According to an aspect of the present invention, there is provided a full-secret database cost transfer method applied to a database front end, the method comprising:
acquiring an initial Structured Query Language (SQL) statement;
replacing constant data in the initial SQL sentence with constant marks to obtain an SQL sentence to be executed;
the SQL statement to be executed is sent to a server, and statement analysis information returned by the server is received;
and sending response information comprising real data or encrypted data corresponding to the constant marks to the server according to the statement analysis information so as to enable the server to execute the SQL statement to be executed.
According to another aspect of the present invention, there is provided a full-secret database cost transfer method, applied to a server, the method comprising:
receiving an SQL statement to be executed sent by the front end of a database; the constant data in the SQL statement to be executed is replaced by a constant mark;
analyzing the SQL statement to be executed according to a full-secret metadata table to obtain statement analysis information, and sending the statement analysis information to the front end of the database;
And receiving response information which is returned by the front end of the database and comprises real data or encrypted data corresponding to the constant marks, so as to execute the SQL statement to be executed.
According to another aspect of the present invention, there is provided an all-secret database cost transfer apparatus applied to a database front end, the apparatus comprising:
the acquisition module is used for acquiring an initial structured query language SQL statement;
the replacing module is used for replacing constant data in the initial SQL sentence with constant marks to obtain an SQL sentence to be executed;
the first receiving module is used for sending the SQL statement to be executed to a server and receiving statement analysis information returned by the server;
and the first sending module is used for sending response information comprising real data or encrypted data corresponding to the constant marks to the server according to the statement analysis information so as to enable the server to execute the SQL statement to be executed.
According to another aspect of the present invention, there is provided an all-secret database cost transfer apparatus applied to a server, the apparatus comprising:
the second receiving module is used for receiving the SQL statement to be executed sent by the front end of the database; the constant data in the SQL statement to be executed is replaced by a constant mark;
The second sending module is used for analyzing the SQL statement to be executed according to the full-secret metadata table to obtain statement analysis information, and sending the statement analysis information to the front end of the database;
and the execution module is used for receiving response information which is returned by the front end of the database and comprises real data or encrypted data corresponding to the constant marks so as to execute the SQL sentence to be executed.
According to another aspect of the present invention, there is provided an electronic apparatus including: at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the full-secret database cost transfer method of any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to implement the full-secret database cost transfer optimization method according to any embodiment of the present invention when executed.
The embodiment of the invention discloses a full-secret database cost transfer method, a device, equipment and a storage medium, wherein the method comprises the following steps: acquiring an initial Structured Query Language (SQL) statement; replacing constant data in the initial SQL sentence with constant marks to obtain an SQL sentence to be executed; the SQL statement to be executed is sent to a server, and statement analysis information returned by the server is received; and sending response information comprising real data or encrypted data corresponding to the constant marks to the server according to the statement analysis information so as to enable the server to execute the SQL statement to be executed. According to the method, constant data in an initial SQL statement is replaced by constant marks, the replaced SQL statement is sent to a server, and the SQL statement is analyzed, so that whether the constant data needs to be encrypted or not is determined to be transferred to the server, the overall performance of the full-secret database can be improved by utilizing the higher hardware performance of the server, and the problem of poor overall performance of the full-secret database in the prior art is solved.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a full-secret database cost transfer method according to a first embodiment of the present invention;
fig. 2 is a flow chart of a full-secret database cost transfer method according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a full-secret database cost transfer device according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of a full-secret database cost transfer device according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention. It should be understood that the various steps recited in the method embodiments of the present invention may be performed in a different order and/or performed in parallel. Furthermore, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the invention is not limited in this respect.
The term "including" and variations thereof as used herein are intended to be open-ended, i.e., including, but not limited to. The term "based on" is based at least in part on. The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments. Related definitions of other terms will be given in the description below.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that references to "one", "a plurality" and "a plurality" in this disclosure are intended to be illustrative rather than limiting, and those skilled in the art will appreciate that "one or more" is intended to be construed as "one or more" unless the context clearly indicates otherwise.
The names of messages or information interacted between the devices in the embodiments of the present invention are for illustrative purposes only and are not intended to limit the scope of such messages or information.
Example 1
Fig. 1 is a flow chart of a full-secret database cost transfer method provided in an embodiment of the present invention, where the method is applied to a front end of a database, and is particularly applicable to a case of accessing a full-secret database through an SQL statement, and the method may be performed by a full-secret database cost transfer device, where the device may be implemented by software and/or hardware and is generally integrated on an electronic device, and in this embodiment, the electronic device includes but is not limited to: database front end, etc.
As shown in fig. 1, a method for transferring cost of a full-secret database according to a first embodiment of the present invention includes the following steps:
s110, acquiring an initial structured query language SQL statement.
The structured query language (Structured Query Language, SQL) may be a language for managing a relational database management system, with the scope of SQL including data insertion, query, update and deletion, database schema creation and modification, and data access control, among others. The database can be accessed and processed through SQL. The initial structured query language SQL statement may be an SQL statement that requires an operation on the database. The initial SQL statement may be input by the user or may be preset. The present embodiment does not limit the type of the initial SQL statement, and for example, the initial SQL statement may be an insert statement, a query statement, an update statement, a delete statement, or other statement.
In this embodiment, the front end of the database may obtain an SQL statement input by the user, and use the SQL statement as an initial SQL statement. The database front-end may be a client that needs to be used to the database.
S120, replacing constant data in the initial SQL sentence with constant marks to obtain the SQL sentence to be executed.
Wherein the constant data may be an amount given a meaning and cannot be changed in the initial SQL statement. For example, if the data table includes two columns of name and age, when name=a and age=b are set in the initial SQL statement, where a and B are constant data in the initial SQL statement. The constant flag may be a flag for constant data, and the type of the constant flag may be set according to actual situations, which is not limited in this embodiment. For example, the constant tag may be the symbol "? ", i.e., replace constant data with symbols"? ". The SQL statement to be executed may be an SQL statement in which constant data is replaced with constant tags.
In this embodiment, after the front end of the database obtains the initial SQL statement, simple lexical analysis is performed on the initial SQL statement, all constant data in the initial SQL statement are identified, and all constant data are replaced by constant tags, so as to obtain a replaced SQL statement to be executed. Illustratively, when the user queries the database front end for the phone number of the person whose ID column is 1369 and whose NAME column is 'YUESONG' in the TBL table, the SQL statement is as follows:
SELECT PHONE FROM TBL WHERE ID=1369AND NAME='YUESONG';
Where the constant data includes an integer 1369 and a string 'yeuesong', the database front-end may replace the constant data with a constant tag "? ", the replaced SQL statement is:
SELECT PHONE FROM TBL WHERE ID=?AND NAME=?;
s130, sending the SQL statement to be executed to a server, and receiving statement analysis information returned by the server.
Wherein the server may be responsible for receiving the front-end request and processing the data addressed to the front-end. The statement analysis information may be information after the SQL statement to be executed is analyzed, and the statement analysis information may include a tag number corresponding to a constant tag and full-secret encryption information.
In this embodiment, the front end of the database may send the SQL statement to be executed to the server, and receive statement analysis information returned by the server, and determine whether the constant data needs to be encrypted according to the statement analysis information.
And S140, sending response information comprising real data or encrypted data corresponding to the constant marks to the server according to the statement analysis information so as to enable the server to execute the SQL statement to be executed.
Wherein the real data may be unencrypted data and the encrypted data may be encrypted data. The response information may be information including constant data sent from the database front-end to the server.
In this embodiment, the front end of the database determines whether the constant data corresponding to the constant tag needs to be encrypted through statement analysis information, and if so, encrypts the constant data and adds the encrypted constant data into response information; if encryption is not needed, the real data of the constant data is directly added into the response information, and the response information is sent to the server.
In one embodiment, the sending, according to the statement parsing information, response information including real data or encrypted data corresponding to the constant tag to the server includes:
judging whether the constant marks have corresponding full-secret encryption information or not according to each constant mark in the statement analysis information; if yes, encrypting the real data corresponding to the constant mark according to the full-secret encryption information to obtain encrypted data, and adding the encrypted data corresponding to the constant mark and the mark number into response information; if not, adding the real data corresponding to the constant mark and the mark number into response information; and sending the response information to a server.
The full-secret encryption information can be the encryption information of a table column, and the full-secret encryption information can comprise information such as a table identifier, a column identifier, an encryption key, an encryption algorithm and the like. The table identifier may be a unique identifier of a table to which the constant data belongs, the column identifier may be a unique identifier of a column to which the constant data belongs, the encryption key may be a key used for encryption, and the encryption algorithm may be an algorithm used for encryption. The table identifier, column identifier, encryption key, and encryption algorithm may be set up by user when creating the data table or in a subsequent process, which is not limited in this embodiment. The tag number may be a constant tag number, and the tag number may be a number given at the server side.
In this embodiment, for each constant tag in statement analysis information, the front end of the database first determines whether the constant tag has corresponding full-secret encryption information, if not, acquires real data corresponding to the current constant tag, and adds the tag number and the real data of the current constant tag to response information; if the constant mark exists, acquiring real data corresponding to the current constant mark, encrypting the real data according to full-secret encryption information (encryption key and encryption algorithm), and adding the mark number of the current constant mark and the encrypted encryption data into response information. After all the constant mark processing in the statement analysis information is completed, the front end of the database sends response information to the server.
The first embodiment of the invention provides a cost transfer method for a full-secret database, which comprises the following steps: acquiring an initial Structured Query Language (SQL) statement; replacing constant data in the initial SQL sentence with constant marks to obtain an SQL sentence to be executed; the SQL statement to be executed is sent to a server, and statement analysis information returned by the server is received; and sending response information comprising real data or encrypted data corresponding to the constant marks to the server according to the statement analysis information so as to enable the server to execute the SQL statement to be executed. According to the method, constant data in an initial SQL statement is replaced by constant marks, the replaced SQL statement is sent to a server, and the SQL statement is analyzed, so that whether the constant data needs to be encrypted or not is determined to be transferred to the server, the overall performance of the full-secret database can be improved by utilizing the higher hardware performance of the server, and the problem of poor overall performance of the full-secret database in the prior art is solved.
On the basis of the above embodiments, modified embodiments of the above embodiments are proposed, and it is to be noted here that only the differences from the above embodiments are described in the modified embodiments for the sake of brevity of description.
In one embodiment, the method further comprises:
receiving statement execution information returned by the server; judging whether a target column in the statement execution information comprises full-secret encryption information or not; if yes, decrypting column data corresponding to the target column according to the full-secret encryption information in the statement execution information to obtain a plaintext result set.
The statement execution information may be an execution result of the SQL statement to be executed, which is queried by the encrypted information. Statement execution information may include a target column identification, column data, and full-secret encryption information for the target column. The target column may be a column in the SQL statement execution result. The plaintext result set may be the decrypted sentence execution information.
In this embodiment, after the front end of the database receives the statement execution information, whether the target column includes the full-secret encryption information may be determined according to the statement execution information, if so, the target column may obtain the real data after decryption, and the target column data may be decrypted by the full-secret encryption information corresponding to the target column to obtain the final plaintext result set.
In one embodiment, the method further comprises:
and if the created data table comprises a full-secret encryption column, sending the full-secret encryption information of the full-secret encryption column to the server.
Wherein the full-secret encryption column may be a column that needs to be encrypted.
In this embodiment, if a column is designated as a full-secret encryption column when the user creates the data table, the front end of the database may send full-secret encryption information of the full-secret encryption column to the server, and the server may store the full-secret encryption information in the full-secret metadata table.
For example, suppose a user creates a data table TBL in the database, where the table includes three columns, an ID column, a NAME column, and a PHONE column, the ID column and the PHONE column are designated as full-secret encryption columns, the encryption keys used are CK1 and CK2, respectively, and the encryption algorithms corresponding to the two encryption keys are EA. The list establishment sentence is as follows:
CREATE TABLE TBL(
ID INT FULL ENCRYPT WITH CK1,
NAME VARCHAR(20),
PHONE VARCHAR(20)FULL ENCRYPT WITH CK2
);
when the data table is created, the server stores the full-secret encryption information of the TBL table into the full-secret metadata table, and after the data table is created, the full-secret metadata table contains two records, as follows:
table identification TBL, column identification ID, encryption key CK1, encryption algorithm EA;
The table identifies TBL, column identifies PHONE, encryption key CK2, encryption algorithm EA.
The table identifier can be set as a table number, the column identifier can be set as a column number, each object in the database has a unique number corresponding to the object, and the object in the database can be directly positioned to the database through the number. Basic information such as data types corresponding to each column can also be stored in the full-secret metadata table, and details are not repeated here. In the subsequent process, the server can acquire the full-secret encryption information of the list by inquiring the full-secret metadata list.
A large amount of work in the existing full-secret state database is completed at the front end of the database, the front end of the database firstly needs to analyze SQL sentences (lexical analysis, grammar analysis and partial semantic analysis are carried out on the SQL sentences), private data in the SQL sentences are analyzed, then the private data are encrypted to obtain the SQL sentences which do not contain the plaintext information of the private data, the SQL sentences are sent to a database server in an untrusted domain to be executed, the executed result is still ciphertext, the ciphertext is transmitted back to the front end through the untrusted domain, and the front end then decrypts the data to obtain the final private data plaintext. However, the parsing of the SQL statement by the method can cause the database front-end program to occupy a large amount of memory space and consume a large amount of time. According to the embodiment, the full-secret related work in the front end of the database is transferred to the server of the database with better performance as far as possible, the work is completed by utilizing the calculation capability provided by the powerful hardware configuration of the server, the execution time is reduced, and the expenditure of the client side of the database and the user program is reduced, so that the overall performance is improved.
Example two
Fig. 2 is a flow chart of a full-secret database cost transfer method provided in a second embodiment of the present invention, where the method is applied to a server, and is particularly applicable to a case of analyzing and executing SQL statements, and the method may be executed by a full-secret database cost transfer device, where the device may be implemented by software and/or hardware and is generally integrated on an electronic device, and in this embodiment, the electronic device includes but is not limited to: server, etc. For details not yet described in detail in this embodiment, refer to embodiment one.
As shown in fig. 2, a method for transferring cost of a full-secret database according to a second embodiment of the present invention includes the following steps:
s210, receiving an SQL statement to be executed sent by the front end of a database; and replacing constant data in the SQL statement to be executed with constant marks.
The SQL statement to be executed may be an SQL statement in which constant data is replaced with constant tags. Constant data may be the amount that is given a meaning in the initial SQL statement and cannot be changed. The constant flag may be a flag for constant data, and the type of the constant flag may be set according to actual situations, which is not limited in this embodiment. For example, the constant tag may be the symbol "? ", i.e., replace constant data with symbols"? ".
In this embodiment, the server may receive the SQL statement to be executed sent by the front end of the database. For example, the SQL statement received by the server to be executed may be: SELECT PHONE FROM TBL WHERE ID =? AND name=? .
S220, analyzing the SQL statement to be executed according to the full-secret metadata table to obtain statement analysis information, and sending the statement analysis information to the front end of the database.
The full-secret metadata table may be a table storing full-secret encryption information. The full-secret encryption information can be the encryption information of a table list, and the full-secret encryption information can comprise information such as a table identifier, a column identifier, an encryption key, an encryption algorithm and the like. The statement analysis information may be information after the SQL statement to be executed is analyzed, and the statement analysis information may include a tag number corresponding to a constant tag and full-secret encryption information.
In this embodiment, after receiving the SQL statement to be executed, the server may take the constant tag as dummy data, perform SQL parsing according to a conventional procedure, and generate an execution plan. After the execution plan is generated, the server acquires real data or encrypted data corresponding to the constant marks from the front end of the database through statement analysis information.
In one embodiment, the parsing the SQL statement to be executed according to the full-secret metadata table to obtain statement parsing information includes:
for each table column corresponding to the constant mark, inquiring whether the table column is a full-secret encryption column in a full-secret metadata table; if yes, acquiring full-secret encryption information corresponding to the table list, and adding a mark number corresponding to the constant mark and the full-secret encryption information to statement analysis information; if not, the tag number corresponding to the constant tag is added to the statement analysis information.
Wherein the table column may be a column of a data table to which the constant tag corresponds. The full-secret encryption column may be a column that needs to be encrypted.
In this embodiment, in the parsing stage of the SQL statement to be executed, for each table column corresponding to a constant tag, the server may query the full-secret metadata table, determine whether the table column is a full-secret encryption column, if so, obtain full-secret encryption information corresponding to the table column, and add the current constant tag number (for example, the number of the first constant tag in the SQL statement to be executed may be 1, the tag number of the second constant tag may be 2, and so on) and the corresponding full-secret encryption information to the statement parsing information; if not, directly adding the mark number of the current constant mark into the statement analysis information. After the analysis of the SQL statement to be executed is completed and an execution plan is generated, the server sends statement analysis information to the front end of the database.
And S230, receiving response information which is returned by the front end of the database and comprises real data or encrypted data corresponding to the constant marks, so as to execute the SQL statement to be executed.
Wherein the real data may be unencrypted data and the encrypted data may be encrypted data. The response information may be information including constant data sent from the database front-end to the server.
In this embodiment, after receiving the response information sent by the front end of the database, the server may replace the constant flags in the execution plan with corresponding real data or encrypted data, respectively, and then execute the SQL statement to be executed according to the execution plan.
In one embodiment, the receiving, by the front end of the database, response information including real data or encrypted data corresponding to the constant tag, so as to execute the SQL statement to be executed, includes:
for each constant mark in the response information, inquiring a position corresponding to the constant mark in an execution plan corresponding to the SQL sentence to be executed according to the mark number; replacing the constant marks in the positions with real data or encrypted data of the constant marks; and after each constant mark in the response information is processed, executing the SQL sentence to be executed according to the execution plan.
The execution plan may be a specific step of the database executing the SQL statement, such as accessing data in a table by indexing or full table scanning, an implementation of a join query, a sequence of joins, and so on.
In this embodiment, for each constant tag in the response information, the server finds the corresponding constant tag in the execution plan of the SQL statement to be executed according to its tag number, and replaces the constant tag with the real data or encrypted data corresponding to the constant tag in the response information. After all the constant marking processing in the response information is completed, the server can execute the SQL sentence to be executed according to the execution plan.
The second embodiment of the invention provides a cost transfer method for a full-secret database, which comprises the following steps: receiving an SQL statement to be executed sent by the front end of a database; the constant data in the SQL statement to be executed is replaced by a constant mark; analyzing the SQL statement to be executed according to a full-secret metadata table to obtain statement analysis information, and sending the statement analysis information to the front end of the database; and receiving response information which is returned by the front end of the database and comprises real data or encrypted data corresponding to the constant marks, so as to execute the SQL statement to be executed. According to the method, the SQL statement to be executed, which is sent by the front end of the database, is analyzed through the full-secret metadata table, statement analysis information is obtained, the statement analysis information is sent to the front end of the database, and whether the constant data need to be encrypted or not can be transferred to the server, so that the overall performance of the full-secret database is improved by utilizing the higher hardware performance of the server, and the problem of poor overall performance of the full-secret database in the prior art is solved.
In one embodiment, after executing the SQL statement to be executed, the method further comprises:
obtaining an execution result set of the SQL sentence to be executed, wherein the execution result set comprises a target column identifier corresponding to a target column and column data; for each target column in the execution result set, determining whether the target column is a full-secret encryption column according to the full-secret metadata table; if yes, adding the target column identification, column data and full-secret encryption information corresponding to the target column to statement execution information; if not, adding the target column identifier and the column data to statement execution information; and sending the statement execution information to the front end of the database.
The execution result set may be an execution result of the SQL statement to be executed. The statement execution information may be an execution result of the SQL statement to be executed, which is queried by the encrypted information.
In this embodiment, after executing the SQL statement to be executed, the server obtains an execution result set, where the execution result set includes a target column identifier (e.g., PHONE) and corresponding column data. For each target column in the execution result set, the server can query the full-secret metadata table, judge whether the current target column is the full-secret encryption column according to the full-secret metadata table, if so, add the current target column identification, the target column data and the corresponding full-secret encryption information into the sentence execution information; if not, the current target column identification and the target column data are directly added into statement execution information. After all the target columns are processed, the server sends statement execution information to the front end of the database.
In one embodiment, the method further comprises:
receiving full-secret encryption information of a full-secret encryption column sent by the front end of the database; and storing the full-secret encryption information in a full-secret metadata table.
In this embodiment, the server may update the full-secret metadata table maintained on the server according to the full-secret encryption information of the full-secret encryption column sent by the front end of the database.
The embodiment maintains all the full-secret encryption information in the current system through the server. Aiming at the SQL sentence to be executed, the front end of the database only carries out simple lexical analysis on the SQL sentence, all constant data in the SQL sentence are replaced by constant marks, and then the SQL sentence is sent to the server; the server carries out grammar analysis and semantic analysis on the SQL sentence, and generates an execution plan, and after the execution plan is generated, the server sends constant marks and full-secret encryption information to the front end of the database to obtain constant data; the front end of the database encrypts constant data to be encrypted and then sends all the constant data to the server; the server fills the constant data into an execution plan, executes SQL sentences to obtain an execution result, and sends the execution result and full-secret encryption information to the front end of the database; and the front end of the database decrypts the execution result to obtain a final plaintext result. By transferring the grammar analysis and the semantic analysis of the SQL sentence to the server, the overall performance of the full-secret database is greatly improved by utilizing the higher hardware performance of the server, the occupation of a large amount of memory of a front-end program of the database is avoided, meanwhile, the whole plaintext of the private data only appears in a trusted domain, and the requirements of the full-secret technology are met.
Example III
Fig. 3 is a schematic structural diagram of a full-secret database cost transfer device according to a third embodiment of the present invention, where the device may be adapted to access a full-secret database through SQL statements, and the device may be implemented by software and/or hardware and is generally integrated on a front end of the database.
As shown in fig. 3, the apparatus includes:
an obtaining module 310, configured to obtain an initial structured query language SQL statement;
a replacing module 320, configured to replace constant data in the initial SQL statement with constant marks, to obtain an SQL statement to be executed;
the first receiving module 330 is configured to send the SQL statement to be executed to a server, and receive statement analysis information returned by the server;
and the first sending module 340 is configured to send response information including real data or encrypted data corresponding to the constant tag to the server according to the statement analysis information, so that the server executes the SQL statement to be executed.
The third embodiment provides a full-secret database cost transfer device, which is used for acquiring an initial structured query language SQL statement; the replacing module is used for replacing constant data in the initial SQL sentence with constant marks to obtain an SQL sentence to be executed; the first receiving module is used for sending the SQL statement to be executed to a server and receiving statement analysis information returned by the server; and the first sending module is used for sending response information comprising real data or encrypted data corresponding to the constant marks to the server according to the statement analysis information so as to enable the server to execute the SQL statement to be executed. The constant data in the initial SQL statement is replaced by the constant marks, the replaced SQL statement is sent to the server, and the SQL statement is analyzed, so that whether the constant data needs to be encrypted or not is determined to be transferred to the server, the overall performance of the full-secret database can be improved by utilizing the higher hardware performance of the server, and the problem of poor overall performance of the full-secret database in the prior art is solved.
Further, the first sending module 340 includes:
judging whether the constant marks have corresponding full-secret encryption information or not according to each constant mark in the statement analysis information;
if yes, encrypting the real data corresponding to the constant mark according to the full-secret encryption information to obtain encrypted data, and adding the encrypted data corresponding to the constant mark and the mark number into response information;
if not, adding the real data corresponding to the constant mark and the mark number into response information;
and sending the response information to a server.
Further, the device further comprises:
receiving statement execution information returned by the server;
judging whether a target column in the statement execution information comprises full-secret encryption information or not;
if yes, decrypting column data corresponding to the target column according to the full-secret encryption information in the statement execution information to obtain a plaintext result set.
Further, the device further comprises:
and if the created data table comprises a full-secret encryption column, sending the full-secret encryption information of the full-secret encryption column to the server.
The full-secret database cost transfer device can execute the full-secret database cost transfer method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
Fig. 4 is a schematic structural diagram of a full-secret database cost transfer device according to a fourth embodiment of the present invention, where the device may be adapted to analyze and execute SQL statements, and the device may be implemented by software and/or hardware and is generally integrated on a server.
As shown in fig. 4, the apparatus includes:
the second receiving module 410 is configured to receive an SQL statement to be executed sent by the front end of the database; the constant data in the SQL statement to be executed is replaced by a constant mark;
the second sending module 420 is configured to parse the SQL statement to be executed according to the full-secret metadata table to obtain statement parsing information, and send the statement parsing information to the front end of the database;
and the execution module 430 is configured to receive response information including real data or encrypted data corresponding to the constant tag returned by the front end of the database, so as to execute the SQL statement to be executed.
The fourth embodiment provides a full-secret database cost transfer device, which is used for receiving an SQL statement to be executed sent by the front end of a database; the constant data in the SQL statement to be executed is replaced by a constant mark; the second sending module is used for analyzing the SQL statement to be executed according to the full-secret metadata table to obtain statement analysis information, and sending the statement analysis information to the front end of the database; and the execution module is used for receiving response information which is returned by the front end of the database and comprises real data or encrypted data corresponding to the constant marks so as to execute the SQL sentence to be executed. The SQL statement to be executed, which is sent by the front end of the database, is analyzed through the full-secret metadata table to obtain statement analysis information, and the statement analysis information is sent to the front end of the database, so that whether the constant data need to be encrypted or not can be transferred to the server, the overall performance of the full-secret database is improved by utilizing the higher hardware performance of the server, and the problem of poor overall performance of the full-secret database in the prior art is solved.
Further, the second transmitting module 420 includes:
for each table column corresponding to the constant mark, inquiring whether the table column is a full-secret encryption column in a full-secret metadata table;
if yes, acquiring full-secret encryption information corresponding to the table list, and adding a mark number corresponding to the constant mark and the full-secret encryption information to statement analysis information;
if not, the tag number corresponding to the constant tag is added to the statement analysis information.
Further, the execution module 430 includes:
for each constant mark in the response information, inquiring a position corresponding to the constant mark in an execution plan corresponding to the SQL sentence to be executed according to the mark number;
replacing the constant marks in the positions with real data or encrypted data of the constant marks;
and after each constant mark in the response information is processed, executing the SQL sentence to be executed according to the execution plan.
Further, after executing the module 430, the method further includes:
obtaining an execution result set of the SQL sentence to be executed, wherein the execution result set comprises a target column identifier corresponding to a target column and column data;
for each target column in the execution result set, determining whether the target column is a full-secret encryption column according to the full-secret metadata table;
If yes, adding the target column identification, column data and full-secret encryption information corresponding to the target column to statement execution information;
if not, adding the target column identifier and the column data to statement execution information;
and sending the statement execution information to the front end of the database.
Further, the device further comprises:
receiving full-secret encryption information of a full-secret encryption column sent by the front end of the database;
and storing the full-secret encryption information in a full-secret metadata table.
The full-secret database cost transfer device can execute the full-secret database cost transfer method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example five
Fig. 5 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. The electronic device may be a database front-end, or server, and in particular may be a digital computer of various forms, such as a laptop computer, a desktop computer, a workstation, a personal digital assistant, a server, a blade server, a mainframe computer, and other suitable computers. The electronic device may also represent various forms of mobile devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as the full-secret database cost transfer method.
In some embodiments, the full-secret database cost transfer method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the full-secret database cost transfer method described above may be performed. Alternatively, in other embodiments, processor 11 may be configured to perform the full-secret database cost transfer method in any other suitable manner (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.

Claims (13)

1. The full-secret database cost transfer method is characterized by being applied to the front end of a database, and comprises the following steps:
acquiring an initial Structured Query Language (SQL) statement;
replacing constant data in the initial SQL sentence with constant marks to obtain an SQL sentence to be executed;
the SQL statement to be executed is sent to a server, and statement analysis information returned by the server is received;
and sending response information comprising real data or encrypted data corresponding to the constant marks to the server according to the statement analysis information so as to enable the server to execute the SQL statement to be executed.
2. The method according to claim 1, wherein the sending response information including real data or encrypted data corresponding to the constant tag to the server according to the statement parsing information includes:
judging whether the constant marks have corresponding full-secret encryption information or not according to each constant mark in the statement analysis information;
if yes, encrypting the real data corresponding to the constant mark according to the full-secret encryption information to obtain encrypted data, and adding the encrypted data corresponding to the constant mark and the mark number into response information;
if not, adding the real data corresponding to the constant mark and the mark number into response information;
and sending the response information to a server.
3. The method according to claim 1, wherein the method further comprises:
receiving statement execution information returned by the server;
judging whether a target column in the statement execution information comprises full-secret encryption information or not;
if yes, decrypting column data corresponding to the target column according to the full-secret encryption information in the statement execution information to obtain a plaintext result set.
4. The method according to claim 1, wherein the method further comprises:
and if the created data table comprises a full-secret encryption column, sending the full-secret encryption information of the full-secret encryption column to the server.
5. A full-secret database cost transfer method, characterized in that it is applied to a server, the method comprising:
receiving an SQL statement to be executed sent by the front end of a database; the constant data in the SQL statement to be executed is replaced by a constant mark;
analyzing the SQL statement to be executed according to a full-secret metadata table to obtain statement analysis information, and sending the statement analysis information to the front end of the database;
and receiving response information which is returned by the front end of the database and comprises real data or encrypted data corresponding to the constant marks, so as to execute the SQL statement to be executed.
6. The method according to claim 5, wherein the parsing the SQL statement to be executed according to the full-secret metadata table to obtain statement parsing information includes:
for each table column corresponding to the constant mark, inquiring whether the table column is a full-secret encryption column in a full-secret metadata table;
If yes, acquiring full-secret encryption information corresponding to the table list, and adding a mark number corresponding to the constant mark and the full-secret encryption information to statement analysis information;
if not, the tag number corresponding to the constant tag is added to the statement analysis information.
7. The method of claim 5, wherein the receiving response information returned by the database front end, including real data or encrypted data corresponding to the constant tag, to execute the SQL statement to be executed, includes:
for each constant mark in the response information, inquiring a position corresponding to the constant mark in an execution plan corresponding to the SQL sentence to be executed according to the mark number;
replacing the constant marks in the positions with real data or encrypted data of the constant marks;
and after each constant mark in the response information is processed, executing the SQL sentence to be executed according to the execution plan.
8. The method of claim 5, further comprising, after executing the SQL statement to be executed:
obtaining an execution result set of the SQL sentence to be executed, wherein the execution result set comprises a target column identifier corresponding to a target column and column data;
For each target column in the execution result set, determining whether the target column is a full-secret encryption column according to the full-secret metadata table;
if yes, adding the target column identification, column data and full-secret encryption information corresponding to the target column to statement execution information;
if not, adding the target column identifier and the column data to statement execution information;
and sending the statement execution information to the front end of the database.
9. The method of claim 5, wherein the method further comprises:
receiving full-secret encryption information of a full-secret encryption column sent by the front end of the database;
and storing the full-secret encryption information in a full-secret metadata table.
10. A full-secret database cost transfer device, applied to a database front end, the device comprising:
the acquisition module is used for acquiring an initial structured query language SQL statement;
the replacing module is used for replacing constant data in the initial SQL sentence with constant marks to obtain an SQL sentence to be executed;
the first receiving module is used for sending the SQL statement to be executed to a server and receiving statement analysis information returned by the server;
And the first sending module is used for sending response information comprising real data or encrypted data corresponding to the constant marks to the server according to the statement analysis information so as to enable the server to execute the SQL statement to be executed.
11. An all-secret database cost transfer device, applied to a server, comprising:
the second receiving module is used for receiving the SQL statement to be executed sent by the front end of the database; the constant data in the SQL statement to be executed is replaced by a constant mark;
the second sending module is used for analyzing the SQL statement to be executed according to the full-secret metadata table to obtain statement analysis information, and sending the statement analysis information to the front end of the database;
and the execution module is used for receiving response information which is returned by the front end of the database and comprises real data or encrypted data corresponding to the constant marks so as to execute the SQL sentence to be executed.
12. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the full-secret database cost transfer method of any one of claims 1-4 or 5-9.
13. A computer readable storage medium storing computer instructions for causing a processor to implement the full dense database cost transfer method of any of claims 1-4 or 5-9 when executed.
CN202311040447.7A 2023-08-17 2023-08-17 Full-secret database cost transfer method, device, equipment and storage medium Pending CN117033445A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311040447.7A CN117033445A (en) 2023-08-17 2023-08-17 Full-secret database cost transfer method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311040447.7A CN117033445A (en) 2023-08-17 2023-08-17 Full-secret database cost transfer method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN117033445A true CN117033445A (en) 2023-11-10

Family

ID=88629674

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311040447.7A Pending CN117033445A (en) 2023-08-17 2023-08-17 Full-secret database cost transfer method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN117033445A (en)

Similar Documents

Publication Publication Date Title
US11640474B2 (en) Method and apparatus for operating database
US10013574B2 (en) Method and apparatus for secure storage and retrieval of encrypted files in public cloud-computing platforms
US10089487B2 (en) Masking query data access pattern in encrypted data
EP3347814B1 (en) Identifying software components in a software codebase
US9852306B2 (en) Conjunctive search in encrypted data
CN110019350A (en) Data query method and apparatus based on configuration information
CN108090351B (en) Method and apparatus for processing request message
CN108846753B (en) Method and apparatus for processing data
CN110019080B (en) Data access method and device
WO2021023149A1 (en) Method and apparatus for dynamically returning message
US11243921B2 (en) Database expansion system, equipment, and method of expanding database
WO2021017305A1 (en) Data query method and apparatus, electronic device, and computer readable storage medium
CN111984745B (en) Database field dynamic expansion method, device, equipment and storage medium
US20230144072A1 (en) Data storage server and client devices for securely storing data
CN117195263A (en) Database encryption method and device
CN110705935B (en) Logistics document processing method and device
CN112434062A (en) Quasi-real-time data processing method, device, server and storage medium
CN116541423A (en) Data retrieval method, device, electronic equipment and storage medium
CN117033445A (en) Full-secret database cost transfer method, device, equipment and storage medium
CN112148739A (en) Ciphertext indexing method and system independent of encryption database
CN112732789A (en) Searchable encryption method based on block chain and electronic equipment
CN112182603A (en) Anti-crawler method and device
US8005849B2 (en) Database access server with reformatting
CN110866002A (en) Method and device for processing sub-table data
CN116305277A (en) Data processing method, device, medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination