Using parse tree validation to prevent SQL injection attacks

Abstract

An SQL injection attack targets interactive web applica- tions that employ database services. Such applications ac- cept user input, such as form elds, and then include this input in database requests, typically SQL statements. In SQL injection, the attacker provides user input that results in a dieren t database request than was intended by the application programmer. That is, the interpretation of the user input as part of a larger SQL statement, results in an SQL statement of a dieren t form than originally intended. We describe a technique to prevent this kind of manipula- tion and hence eliminate SQL injection vulnerabilities. The technique is based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input. Our solution is ecien t, adding about 3 ms overhead to database query costs. In addition, it is easily adopted by application pro- grammers, having the same syntactic structure as current popular record set retrieval methods. For empirical anal- ysis, we provide a case study of our solution in J2EE. We implement our solution in a simple static Java class, and show its eectiv eness and scalability.