The Community for Technology Leaders
2011 15th European Conference on Software Maintenance and Reengineering (2007)
Amsterdam, the Netherlands
Mar. 21, 2007 to Mar. 23, 2007
ISSN: 1534-5351
ISBN: 0-7695-2802-3
pp: 191-202
Web sites may be static sites, programs, or databases, and very often a combination of the three integrating relational databases as a back-end. Web sites require care in configuration and programming to assure security, confidentiality, and trustworthiness of the published information. SQL-injection attacks exploit weak validation of textual input used to build database queries. Maliciously crafted input may threaten the confidentiality and the security policies of Web sites relying on a database to store and retrieve information. This paper presents an original approach that combines static analysis, dynamic analysis, and code re-engineering to automatically protect applications written in PHP from SQL-injection attacks. The paper also reports preliminary results of experiments performed on an old SQL-injection prone version of phpBB (version 2.0.0, 37193 LOC of PHP version 4.2.2 code). Results show that our approach successfully improved phpBB-2.0.0 resistance to SQL-injection attacks
Protection, Application software, Data security, Relational databases, Information security, Software performance, Performance analysis, Dynamic programming, Engines, Computer science
"Automated Protection of PHP Applications Against SQL-injection Attacks", 2011 15th European Conference on Software Maintenance and Reengineering, vol. 00, no. , pp. 191-202, 2007, doi:10.1109/CSMR.2007.16
98 ms
(Ver 3.3 (11022016))