SQL injection prevention
First Claim
1. A method of protecting data in a database utilized by an application that is vulnerable to SQL injection, the method comprising:
- receiving a SQL statement at a SQL injection prevention module within the application;
identifying a SQL command sequence within the SQL statement;
comparing the SQL command sequence with a SQL pattern contained in a database security policy, wherein the database security policy includes a violation severity level;
determining that there is a match between the SQL command sequence and the SQL pattern, such that there is a violation of the database security policy by the SQL statement;
determining if the violation severity level of the database security policy is critical or non-critical; and
permitting the SQL command sequence to execute and encrypting a result of the execution of the SQL command sequence when there is a match between the SQL command sequence and the SQL pattern and the violation severity level is non-critical.
1 Assignment
0 Petitions
Accused Products
Abstract
Hackers and other malicious users are prevented from injecting harmful SQL into a database and from retrieving confidential data. SQL statements formed by an application in response to user input (e.g., user Id and password), are scanned and compared to patterns of SQL commands and data embodied in one or more anti-SQL injection policies. If there is a match, the SQL statement is in violation of the policy. A severity level of the violation may be checked, for example, it may be determined whether the violation is critical or non-critical (normal). Different actions are taken depending on the severity of the violation. If the violation is critical, the SQL statement is dropped and the administrator is notified immediately and a trace of the violation is provided. If the violation is not critical, the data is retrieved and is compared against data in a confidential data registry. If any of the data is found to be confidential, that data is encrypted and then sent to the hacker. The hacker is not able to use or read the encrypted confidential data.
-
Citations
34 Claims
-
1. A method of protecting data in a database utilized by an application that is vulnerable to SQL injection, the method comprising:
-
receiving a SQL statement at a SQL injection prevention module within the application; identifying a SQL command sequence within the SQL statement; comparing the SQL command sequence with a SQL pattern contained in a database security policy, wherein the database security policy includes a violation severity level; determining that there is a match between the SQL command sequence and the SQL pattern, such that there is a violation of the database security policy by the SQL statement; determining if the violation severity level of the database security policy is critical or non-critical; and permitting the SQL command sequence to execute and encrypting a result of the execution of the SQL command sequence when there is a match between the SQL command sequence and the SQL pattern and the violation severity level is non-critical. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computing system preventing harmful effects from SQL injection, the system comprising:
-
a processor; a SQL injection prevention module for thwarting attempts to cause harm to the computing system through SQL injection; a SQL scanner module for scanning a SQL statement received from an application executing on the processor; a logger module for providing one or more SQL injection policies; a confidential data encryption module for encrypting confidential data retrieved from a database to form a result of executing a SQL statement when it is determined that the SQL statement violates a policy and that the policy violation is a non-critical violation wherein said encrypting uses a feature that is known only to the owner or user of the confidential data; and a memory storage area storing one or more SQL injection policies, and a configuration file identifying said confidential data in the database, said configuration file being generated by a data registry module and wherein said confidential data encryption module uses said configuration file, wherein the SQL statement is compared with the one or more SQL injection policies to determine whether the SQL statement violates any of the one or more SQL injection policies. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method of blocking SQL injections into a user application that utilizes a database, comprising:
-
receiving a SQL statement at a SQL injection prevention system in the user application; comparing the SQL statement against policies relating to SQL injections, said policies containing SQL patterns; determining whether the SQL statement violates any of the policies; and allowing the SQL statement to execute and encrypting a result of the execution of the SQL statement when it is determined that there is a violation of a low security level; wherein the database utilized by the application is protected from malicious SQL statements. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
Specification