关键词: SQL注入, 词法分析, 静态分析, 污染分析, 规则匹配

Abstract: The concept of “SQL injection” has been proposed for more than 10 years, however, SQL injection attack was still rated the number one attack on the Open Web Application Security Project(OWASP) in 2013. With the rapid development of dynamic Web applications, PHP becomes popular because it's fast, reliable and can be combined with many different types of RDBMS, and it's also a cheap option for developing and hosting applications on the Web. PHP is a powerful language which can access files, execute commands and open network connections on the server. However, these properties also make anything is run on a Web server insecure by default. As there are several ways of utilizing PHP, there are many configuration options controlling its behavior. A large selection of options guarantees that PHP can be utilized to a lot of purposes. With proper runtime configuration options and coding practices, PHP can provide exactly the combination of freedom and security. This paper considers the security risks related to PHP programming language, and describes different situations which will lead to website vulnerabilities. It also proposes a static lexical analysis framework for detecting SQL injections based on the matching rules, and implements the PHP sourcecode SQL injection attack detection algorithm. The experiments demonstrate that the algorithm is effective, and it can also be extended to detect other “taintstyle” Web vulnerabilities.

Key words: SQL injection, lexical analysis, static analysis, taint analysis, matching rules