|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objectedu.osu.cse.SQLprevention.SQLGuard
public class SQLGuard
SQLGuard provides an interface for injection-safety in SQL strings.
By using a parse tree representation of the SQL string, the class
can compare the structure both before and after user input has
been supplied, and raise an error if the two trees do not match.
SQLGuard is part of a Java implementation of the parse tree validation
technique proposed by Buehrer, Weide and Sivilotti.
It is designed to eliminate SQL Injection
attacks in web applications.
This implementation makes use of the publically available SQL parser for Java,
ZQL (http://www.experlog.com/gibello/zql/).
How To Use:
(install ZQL)
Connection Conn = SafeDriverManager.getConnection("jdbc:mysql://localhost/database1?user=user1&password=pass");
String query = SQLGuard.init() + "SELECT * FROM table where col1 = " + SQLGuard.wrap(id) ;
Statement s2 = Conn.createStatement();
RS = s2.executeQuery(query);
Copyright 2005 The Ohio State University
Field Summary | |
---|---|
private static java.util.concurrent.ConcurrentHashMap |
keys
a concurrent hash table to store thread-key pairs. |
private static int |
keySize
the number of bits to use for keys |
private static java.lang.String |
lastQuery
an SQL string of the last query executed through SQLGuard |
private static java.util.Random |
rand
used to generate random keys |
Constructor Summary | |
---|---|
SQLGuard()
The default constructor, it instantiates the keys hashmap. |
Method Summary | |
---|---|
(package private) static boolean |
check(java.lang.String sql)
Confirms well-formedness of an SQL string. |
private static boolean |
compareFrom(java.util.Vector from1,
java.util.Vector from2)
Confirms well-formedness of an SQL string's FROM clause. |
private static boolean |
compareFromItem(Zql.ZFromItem from1,
Zql.ZFromItem from2)
Confirms whether two FROM items are a match. |
private static boolean |
compareSelect(java.util.Vector sel1,
java.util.Vector sel2)
Compares two SELECT vectors, returning false if there is not an exact match. |
private static boolean |
compareSelectItem(Zql.ZSelectItem sel1,
Zql.ZSelectItem sel2)
Confirms whether two SELECT items are equal. |
private static boolean |
compareWhere(Zql.ZExp where1,
Zql.ZExp where2)
Confirms well-formedness of an SQL string's WHERE clause. |
private static boolean |
compareZExpression(Zql.ZExp exp1,
Zql.ZExp exp2)
Confirms whether two EXPRESSIONS are a match. |
static int |
getKeySize()
gets the size of the key (in bits). |
static java.lang.String |
getLastQuery()
Gets the last query string which was executed through SQLGuard. |
static java.lang.String |
init()
Generates a new key for this query. |
(package private) static java.lang.String |
prepareForQuery(java.lang.String sql)
Removes the key from the sql string, and then removes all wrappings from the query. |
static java.lang.String |
removeWrappers(java.lang.String sql,
java.lang.String replacement,
java.lang.String local_key)
Unwraps all wrappings in the sql query. |
static void |
setKeySize(int keySize)
Sets the keySize in bits, must be a multiple of 4. |
static void |
setLastQuery(java.lang.String lastQuery)
|
static java.lang.String |
wrap(boolean n)
Wraps a boolean variable. |
static java.lang.String |
wrap(char n)
Wraps a char variable. |
static java.lang.String |
wrap(double n)
Wraps a double variable. |
static java.lang.String |
wrap(float n)
Wraps a float variable. |
static java.lang.String |
wrap(int n)
Wraps an int variable. |
static java.lang.String |
wrap(long n)
Wraps a long variable. |
static java.lang.String |
wrap(short n)
Wraps a short variable. |
static java.lang.String |
wrap(java.lang.String s)
Wraps a string variable. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
private static java.util.concurrent.ConcurrentHashMap keys
private static int keySize
private static java.lang.String lastQuery
private static java.util.Random rand
Constructor Detail |
---|
SQLGuard()
Method Detail |
---|
public static java.lang.String init()
public static java.lang.String wrap(java.lang.String s)
s
- a string representing a user supplied portion of the sql query
public static java.lang.String wrap(long n)
n
- a long, which is a user-supplied portion of the sql query
public static java.lang.String wrap(double n)
n
- a double, which is a user-supplied portion of the sql query
public static java.lang.String wrap(char n)
n
- a char, which is a user-supplied portion of the sql query
public static java.lang.String wrap(short n)
n
- a short, which is a user-supplied portion of the sql query
public static java.lang.String wrap(boolean n)
n
- a boolean, which is a user-supplied portion of the sql query
public static java.lang.String wrap(float n)
n
- a float, which is a user-supplied portion of the sql query
public static java.lang.String wrap(int n)
n
- an int, which is a user-supplied portion of the sql query
static java.lang.String prepareForQuery(java.lang.String sql)
sql
- is an sql query
public static java.lang.String removeWrappers(java.lang.String sql, java.lang.String replacement, java.lang.String local_key)
sql
- is an sql query
replacement is a regular expression of what to put back in
it is a subgroup of the pattern, namely the one we wrapped
static boolean check(java.lang.String sql)
sql
- a string representing an SQL query, decorated with special
markers to set off user input
private static boolean compareSelect(java.util.Vector sel1, java.util.Vector sel2)
sel1
- The SELECT vector with empty leaf nodes.sel2
- The SELECT vector with user input supplied.
private static boolean compareSelectItem(Zql.ZSelectItem sel1, Zql.ZSelectItem sel2)
sel1
- The first SELECT item.sel2
- The second SELECT item, the one filled in by the user.
private static boolean compareFrom(java.util.Vector from1, java.util.Vector from2)
from1
- The first FROM clause (not filled in with user input).from2
- The second FROM clause, filled in with user input.
private static boolean compareFromItem(Zql.ZFromItem from1, Zql.ZFromItem from2)
from1
- The first FROM item.from2
- The second FROM item, the one filled in by the user
private static boolean compareZExpression(Zql.ZExp exp1, Zql.ZExp exp2)
exp1
- The first EXPRESSION item.exp2
- The second EXPRESSION item, the one filled in by the user
private static boolean compareWhere(Zql.ZExp where1, Zql.ZExp where2)
where1
- The first WHERE clause (not filled in with user input).where2
- The second WHERE clause, filled in with user input.
public static int getKeySize()
public static void setKeySize(int keySize)
keySize
- The keySize to set (in bits).public static java.lang.String getLastQuery()
public static void setLastQuery(java.lang.String lastQuery)
lastQuery
- The lastQuery to set.
|
|||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |