Title :
Automated Protection of PHP Applications Against SQL-injection Attacks
Author :
Merlo, Ettore ; Letarte, Dominic ; Antoniol, Giuliano
Author_Institution :
Dept. of Comput. Sci., Ecole Polytechnique de Montreal, Que.
Abstract :
Web sites may be static sites, programs, or databases, and very often a combination of the three integrating relational databases as a back-end. Web sites require care in configuration and programming to assure security, confidentiality, and trustworthiness of the published information. SQL-injection attacks exploit weak validation of textual input used to build database queries. Maliciously crafted input may threaten the confidentiality and the security policies of Web sites relying on a database to store and retrieve information. This paper presents an original approach that combines static analysis, dynamic analysis, and code re-engineering to automatically protect applications written in PHP from SQL-injection attacks. The paper also reports preliminary results of experiments performed on an old SQL-injection prone version of phpBB (version 2.0.0, 37193 LOC of PHP version 4.2.2 code). Results show that our approach successfully improved phpBB-2.0.0 resistance to SQL-injection attacks
Keywords :
SQL; Web sites; relational databases; security of data; systems re-engineering; PHP applications; SQL-injection attacks; Web sites; information confidentiality; information security; information trustworthiness; relational databases; software re-engineering; software security analysis; Application software; Computer science; Data security; Dynamic programming; Engines; Information security; Performance analysis; Protection; Relational databases; Software performance;
Conference_Titel :
Software Maintenance and Reengineering, 2007. CSMR '07. 11th European Conference on
Conference_Location :
Amsterdam
Print_ISBN :
0-7695-2802-3
DOI :
10.1109/CSMR.2007.16
