This paper researches the method of SQL injection attack detection and the principle of static analysis scanning, and presents a Java source-code SQL injection attack detection algorithm. The detection algorithm includes these steps: lexical analysis of source code, parsing of source code, constructing abstract syntax tree of source code, defining rules, abstract syntax tree traversal, tracking problems, detecting possible paths of SQL injection attack etc. Test results show that the proposed detection algorithm performs perfectly and has higher recognition rate.%研究了常见的SQL注入检测和源代码静态分析扫描的原理,提出Java源代码SQL注入检测算法,该算法通过对Java源代码词法分析和语法分析、建立抽象语法树、定义规则、遍历语法树和跟踪等,检测Java源代码中可能的SQL注入路径,测试结果表明,算法检测效果良好,识别率高.
展开▼
