System and method for providing safe SQL-level access to a database
First Claim
1. A distributed computer system, comprising:
- an information server, the information server including a database management system (DBMS) and a port for receiving and responding to SQL statements;
at least one client computer, coupled by a communication path to the information server;
the at least one client computer including database access means for sending SQL statements database queries to the DBMS in the information server;
the database access means including a plurality of embedded constant strings, the plurality of embedded constant strings comprising pre-encrypted representations of a first subset of a predefined full set of SQL commands recognized as legal SQL commands by the DBMS in the information server;
each of the SQL statements sent by the database access means to the DBMS in the information server including the pre-encrypted representation of one of the first subset of SQL commands;
wherein the first subset does not contain a predefined set of excluded SQL commands that are contained in the predefined full set; and
the information server including means for processing the received SQL statements, including means for decoding the pre-encrypted representation of a SQL command included in each of the SQL statements sent by the database access means in the at least one client computer, and means for rejecting any received SQL statements that do not include a pre-encrypted representation of a SQL command that can be decoded by the decoding means into a corresponding one of the legal SQL commands using a predefined decoding methodology;
wherein the at least one client computer is unable to generate SQL statements containing representations of any SQL commands not included in the first subset that will be not be rejected by the information server.
2 Assignments
0 Petitions
Accused Products
Abstract
A distributed computer system has an information server and a plurality of client computers coupled by one or more communication paths to the information server. The information server includes a database management system (DBMS) with an interface procedure for receiving and responding to SQL statements from client computers. At least one client computer has a database access procedure for sending SQL statements to the DBMS in the information server. The database access procedure includes embedded encrypted SQL statements, representing a predefined subset of a predefined full set of SQL statements recognized as legal SQL statements by the DBMS. For instance, the predefined subset of SQL statement might include only SQL statements for reading data in the DBMS, but not include SQL statements for modifying and adding data to the DBMS. Each of the SQL statements sent by the database access procedure to the DBMS includes a corresponding one of the encrypted SQL statements. The DBMS in the information server includes an interface procedure for processing all SQL statements received from client computers, including a decoding procedure for decoding the encrypted SQL statement included in the SQL statements sent by the database access procedure in the one client computer. The received SQL statement is executed by the DBMS only if the decoded SQL statement is a legal SQL statement. In addition, the interface procedure rejects received SQL statements that do not include an encrypted SQL statement.
65 Citations
6 Claims
-
1. A distributed computer system, comprising:
-
an information server, the information server including a database management system (DBMS) and a port for receiving and responding to SQL statements; at least one client computer, coupled by a communication path to the information server;
the at least one client computer including database access means for sending SQL statements database queries to the DBMS in the information server;the database access means including a plurality of embedded constant strings, the plurality of embedded constant strings comprising pre-encrypted representations of a first subset of a predefined full set of SQL commands recognized as legal SQL commands by the DBMS in the information server;
each of the SQL statements sent by the database access means to the DBMS in the information server including the pre-encrypted representation of one of the first subset of SQL commands;wherein the first subset does not contain a predefined set of excluded SQL commands that are contained in the predefined full set; and the information server including means for processing the received SQL statements, including means for decoding the pre-encrypted representation of a SQL command included in each of the SQL statements sent by the database access means in the at least one client computer, and means for rejecting any received SQL statements that do not include a pre-encrypted representation of a SQL command that can be decoded by the decoding means into a corresponding one of the legal SQL commands using a predefined decoding methodology; wherein the at least one client computer is unable to generate SQL statements containing representations of any SQL commands not included in the first subset that will be not be rejected by the information server. - View Dependent Claims (2, 3)
-
-
4. In a distributed computer system having an information server and a plurality of client computers coupled by a communication path to the information server, the information server including a database management system (DBMS) with a port for receiving and responding to SQL statements;
- a method of limiting access to the DBMS by at least some of the client computers, comprising the steps of;
in at least one of the client computers, storing a plurality of constant strings, the plurality of constant strings comprising pre-encrypted representations of a first subset of a predefined full set of SQL commands recognized as legal SQL commands by the DBMS in the information server, wherein the first subset does not contain a predefined set of excluded SQL commands that are contained in the predefined full set; and generating SQL statements and sending the generated SQL statements to the DBMS in the information server, each of the generated SQL statements including the pre-encrypted representation of one of the first subset of SQL commands; and in the information server, processing the received SQL statements, including decoding the pre-encrypted representation of a SQL command included in each of the SQL statements sent by the at least one client computer, and rejecting any received SQL statements that do not include a pre-encrypted representation of a SQL command that can be decoded by the information server into a corresponding one of the legal SQL commands using a predefined decoding methodology; wherein the at least one client computer is unable to generate SQL statements containing representations of any SQL commands not included in the first subset that will be not be rejected by the information server. - View Dependent Claims (5, 6)
- a method of limiting access to the DBMS by at least some of the client computers, comprising the steps of;
Specification
-
- Resources
-
Current AssigneeOracle America, Inc. (Oracle Corporation)
-
Original AssigneeSun Microsystems Incorporated (Oracle Corporation)
-
InventorsChan, Patrick P.
-
Primary Examiner(s)Black, Thomas G.
-
Assistant Examiner(s)Corrielus, Jean M.
-
Application NumberUS08/534,576Time in Patent Office853 DaysField of Search395/609, 395/610, 395/606US Class Current1/1CPC Class CodesG06F 16/24547 Optimisations to support sp...G06F 21/6227 where protection concerns t...Y10S 707/99936 Pattern matching accessY10S 707/99939 Privileged access
