INPUT AND OUTPUT VALIDATION

US 20090044271A1
Filed: 07/17/2008
Published: 02/12/2009
Est. Priority Date: 08/09/2007
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method for input validation and output validation, the method comprising:

receiving, at a service, a request message from a client over a network, wherein the service is located on a server;

providing a handler at the server;

checking the request message at the handler using a first method before sending the request message to the service; and

checking a response message at the handler using the first method before sending the response message to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present description refers in particular to a computer-implemented method, a computer system, and a computer program product for input validation and output validation to prevent SQL injections. In one aspect, an embodiment of the invention involves a service (e.g., a web service operating on a server) receiving a request message from a client over a network. The server includes a handler for checking the request message according to a first method, prior to sending the request message to the service. In addition, the handler checks a response message (from the service) according to the first method, prior to sending the response message to the client.

40 Citations

View as Search Results

20 Claims

1. A computer-implemented method for input validation and output validation, the method comprising:
- receiving, at a service, a request message from a client over a network, wherein the service is located on a server;
  
  providing a handler at the server;
  
  checking the request message at the handler using a first method before sending the request message to the service; and
  
  checking a response message at the handler using the first method before sending the response message to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein checking the request message at the handler comprises:
    - checking simple attacks;
      
      checking complex attacks; and
      
      checking compound attacks.
  - 3. The computer-implemented method of claim 2, wherein checking the request message at the handler further comprises:
    - if the request message is free from injected data, passing the request message to the service; and
      
      if the request message is not free from injected data, throwing a request fault message.
  - 4. The computer-implemented method of claim 3, wherein throwing a request fault message comprises:
    - checking the request fault message at the handler using a second method;
      
      generating a customized fault message; and
      
      sending the customized fault message to the client.
  - 5. The computer-implemented method of claim 4, further comprising:
    - filtering the request fault message in the second method of the handler and inside the first method.
  - 6. The computer-implemented method of claim 2, wherein checking the response message at the handler comprises:
    - if the response message is free from exception data, passing it to the client; and
      
      if the response message is not free from exception data, throwing a response fault message.
  - 7. The computer-implemented method of claim 6, wherein throwing a response fault message comprises:
    - checking the response fault message at the handler using a second method;
      
      generating a customized fault message; and
      
      sending the customized fault message to the client.
  - 8. The computer-implemented method of claim 7, further comprising:
    - filtering the response fault message in the second method of the handler and inside the first method.

9. A computer system for input validation and output validation, the computer system comprising:
- a server having a service and a handler, wherein the service is operable to receive a request message from a client over a network; and
  
  wherein the handler is operable to i) check the request message using a first method before sending the request message to the service, and ii) check a response message using the first method before sending the response message to the client.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer system of claim 9, wherein the handler is further operable to use the first method to:
    - check simple attacks;
      
      check complex attacks; and
      
      check compound attacks.
  - 11. The computer system of claim 10, wherein the handler is further operable to:
    - pass the request message to the service if the request message is free from injected data; and
      
      throw a request fault message if the request message is not free from injected data.
  - 12. The computer system of claim 11, wherein the handler is further operable to:
    - check the request fault message using a second method;
      
      generate a customized fault message; and
      
      send the customized fault message to the client.
  - 13. The computer system of claim 12, wherein the handler is further operable to:
    - filter the request fault message in the second method of the handler and inside the first method.
  - 14. The computer system of claim 10, wherein the handler is further operable to:
    - pass the response message to the client if the response message is free from exception data; and
      
      throw a response fault message if the response message is not free from exception data.
  - 15. The computer system of claim 14, wherein the handler is further operable to:
    - check the response fault message using a second method;
      
      generate a customized fault message; and
      
      send the customized fault message to the client.
  - 16. The computer system of claim 15, wherein the handler is further operable to:
    - filter the response fault message in the second method of the handler and inside the first method.

17. A computer-readable medium having a computer program product embodied thereon, wherein the computer program product comprises computer-readable instructions, which, when executed by a server, causes the server to:
- receive, at a service, a request message from a client over a network, wherein the service is located on a the server;
  
  provide a handler at the server;
  
  check the request message at the handler using a first method before sending the request message to the service; and
  
  check a response message at the handler using the first method before sending the response message to the client.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable medium of claim 17, having further computer-readable instructions, which, when executed by the server, causes the handler to check the request message by:
    - checking for simple attacks;
      
      checking for complex attacks; and
      
      checking for compound attacks.
  - 19. The computer-readable medium of claim 18, having further computer-readable instructions, which, when executed by the server, causes the server to:
    - pass the request message to the service if the request message is free from injected data; and
      
      throw a request fault message if the request message is not free from injected data.
  - 20. The computer-readable medium of claim 18, having further computer-readable instructions, which, when executed by the server, causes the server to:
    - pass the response message to the client if the response message is free from exception data; and
      
      throw a response fault message if the response message is not free from exception data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP AG (SAP SE)
Original Assignee
SAP AG (SAP SE)
Inventors
Khoury, Paul El, Benameur, Azzedine

Application Number

US12/175,400
Publication Number

US 20090044271A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/31   User authentication

G06F 21/554   involving event detection a...

G06F 21/6227   where protection concerns t...

H04L 63/1416   Event detection, e.g. attac...

INPUT AND OUTPUT VALIDATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

40 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

INPUT AND OUTPUT VALIDATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

40 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links