Reinforcing SQL transactions dynamically to prevent injection attacks

Assignee

• International Business Machines Corporation · US

Inventors

• Galia Diamant · Littleton, US
• Leonid Rodniansky · Brookline, US
• Cheng-Ta Lee · Taipei, TW
• Chun-Shuo Lin · Tainan, TW
• Richard Ory Jerrell · Littleton, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06F21/602
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

A database protection system (DPS) mitigates injection attacks. DPS receives an unrestricted database query, extract a syntax tree, and evaluates whether it recognizes the query. To this end, DPS applies a hash function over the extracted syntax tree, and then determines whether the resulting hash has been seen by DPS before. If so, DPS retrieves a previously-generated prepared statement associated with the syntax tree, and that prepared statement is then forward to the database server in lieu of sending the original query. If the syntax tree is not recognized, DPS creates a new prepared statement, generates a hash of the syntax tree, and stores the hash and the new prepared statement, and forwards the new prepared statement. The prepared statements are configured based on the native wire protocol used by the database server, and DPS includes additional functionality by which it can learn the semantics of this protocol if necessary.