Automated Protection of PHP Applications Against SQL-injection Attacks

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Ettore Merlo Articles by Dominic Letarte Articles by Giuliano Antoniol

11th European Conference on Software Maintenance and Reengineering (CSMR'07)

Amsterdam, the Netherlands

March 21-March 23

ISBN: 0-7695-2802-3

	ASCII Text	x
	Ettore Merlo, Dominic Letarte, Giuliano Antoniol, "Automated Protection of PHP Applications Against SQL-injection Attacks," Software Maintenance and Reengineering, European Conference on, pp. 191-202, 11th European Conference on Software Maintenance and Reengineering (CSMR'07), 2007.

	BibTex	x
	@article{ 10.1109/CSMR.2007.16, author = {Ettore Merlo and Dominic Letarte and Giuliano Antoniol}, title = {Automated Protection of PHP Applications Against SQL-injection Attacks}, journal ={Software Maintenance and Reengineering, European Conference on}, volume = {0}, year = {2007}, issn = {1534-5351}, pages = {191-202}, doi = {http://doi.ieeecomputersociety.org/10.1109/CSMR.2007.16}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Software Maintenance and Reengineering, European Conference on TI - Automated Protection of PHP Applications Against SQL-injection Attacks SN - 1534-5351 SP191 EP202 A1 - Ettore Merlo, A1 - Dominic Letarte, A1 - Giuliano Antoniol, PY - 2007 KW - null VL - 0 JA - Software Maintenance and Reengineering, European Conference on ER -

Ettore Merlo, Ecole Polytechnique de Montreal, Canada

Dominic Letarte, Ecole Polytechnique de Montreal, Canada

Giuliano Antoniol, Ecole Polytechnique de Montreal, Canada

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/CSMR.2007.16

Web sites may be static sites, programs, or databases, and very often a combination of the three integrating relational databases as a back-end. Web sites require care in configuration and programming to assure security, confidentiality, and trustworthiness of the published information.

SQL-injection attacks exploit weak validation of textual input used to build database queries. Maliciously crafted input may threaten the confidentiality and the security policies of Web sites relying on a database to store and retrieve information.

This paper presents an original approach that combines static analysis, dynamic analysis, and code reengineering to automatically protect applications written in PHP from SQL-injection attacks.

The paper also reports preliminary results of experiments performed on an old SQL-injection prone version of phpBB (version 2.0.0, 37193 LOC of PHP version 4.2.2 code). Results show that our approach successfully improved phpBB-2.0.0 resistance to SQLinjection attacks.

Citation:

Ettore Merlo, Dominic Letarte, Giuliano Antoniol, "Automated Protection of PHP Applications Against SQL-injection Attacks," csmr, pp.191-202, 11th European Conference on Software Maintenance and Reengineering (CSMR'07), 2007

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.