查看文章

SQL injection attacks (SQLIA) are widely used in which an attacker crafts input to the application server to access or modify data on the database server. A common approach for an attacker to launch SQLIA is by modifying the input URL to contain partial SQL queries and trick the server into executing them. In this paper we first identify all those input patterns that can appear in the URL of an attack. Next we proposed to deploy a SQL Meta character filter that parses the input URL to detect attack patterns. The attack patterns are so chosen so that SQL Meta characters that appear in a legal input are not filtered out. We implement the filter using Java servlet and demonstrate its effectiveness.