網路科技迅速的發展帶動網頁應用程式廣泛的應用,網頁應用程式與資料庫的結合使得系統也變得複雜,加上使用者輸入的資料庫查詢請求不容易確認是否安全。因此我們需要一個能有效地阻擋惡意使用者對資料庫進行SQL Injection的防禦機制。在這篇論文中,提出不同其他學者的防禦機制的防禦系統,且防禦系統可以防範,單一攻擊和多重指令攻擊,在執行資料庫指令前,先將使用者組成SQL指令記錄在資料庫,並依據知識庫內的知識判斷使用者提供的指令,通過查核的指令傳遞給資料庫執行,產生執行結果後再回傳資訊給使用者,進而避免執行不當組合而成的SQL指令。
A rapid developemet of network techonology promotes web application widely ap-plied. The combination of web application and database makes system more com-pli-cated than before. Besides, it is hard to confirm the security of database access re-quest by users. Therefore, we need a defense mechanism which can effectively block the SQL injection for database by malicious users. In this thesis, we propose a defense mecha-nism different from those of other scholars. With our method, we can defend both sin-gle attack and multiple query attack. Before executing database instructions, we store all SQL instrutions composed by users into database. And then, we filter those SQL in-structons with the knowledge from knowledge base. Finally, we pass the filtered SQL instructions to database, executing them and returning the results back to the users. Fol-lowing the method above, we can avoid any SQL instructions containing improper exe-cution.
