To solve the SQL injection problem in the Web security, a new SQL injection filtering method named LFS (length-frequency-SQL syntax tree) is proposed in this study. The LFS includes two phases: the learning and the filtering phase. In the learning phase, the URL and the SQL statement mapping table are built based on the crawler and the database agent in a secure environment. In the filtering phase, the URL length, the access frequency, and the SQL syntax tree are detected to filter the user input to prevent SQL injection attacks. Simulation experiments and results analysis denote that the proposed LFS method can prevent SQL injection attacks more effectively than the traditional keyword filtering and regular expression filtering methods.%针对Web安全中的SQL注入问题,提出了一种新的SQL注入过滤方法——LFS(length-frequency-SQL syntax tree)过滤方法.LFS方法包括学习和过滤两个阶段,其中,学习阶段在安全的环境下,通过爬虫和数据库代理构建URL和SQL语句映射表;过滤阶段通过对URL长度、访问频率及SQL语法树这三个方面进行检测,以此实现对用户输入进行过滤,防止SQL注入攻击.仿真实验及结果分析表明LFS方法相较于传统的关键字过滤和正则表达式过滤能够更有效的防止SQL注入攻击.
展开▼
