[WEB SECURITY] Automatically Preparing Safe SQL Queries

venkat venkatakrishnan venkat at cs.uic.edu
Wed Jun 16 19:32:32 EDT 2010


Hi all:

We'd like to announce an  important and exciting  result from my research group at the University of Illinois at Chicago that will be of interest to this community. This work  addresses a long standing open problem in web security.


The recommended defense for eliminating SQL injection from web applications is the use of PREPARE statements.The process of converting a web application's source code to make use of PREPARE statements has so far been through human labor, typically done by developers. The question of whether it is possible to come up with a correct method that would enable a computer program to do this source conversion automatically has so far remained open.


In our recent work, we have developed a method to address this long standing problem. Our method develops a novel algorithm based on symbolic execution to do the conversion. A paper that describes this technology appeared recently in the Financial Crypto & Data Security (FC'10) conference, and a copy can be found here: http://cs.uic.edu/~venkat/research/papers/Taps-fc10.pdf


A tool called TAPS has been developed as part this research. The tool takes as input a PHP-based web application and converts all its SQL query locations into PREPARE statements.    Try a demo of TAPS online at  http://sisl.rites.uic.edu/rearch/index.html


A test harness with many tricky PHP code snippets is available at the above site that illustrates how the tool works. TAPS has been applied to successfully transform several open source apps. 


We can now claim that push-button technology is available to  eliminate SQL injection from web applications!


TAPS is part of doctoral dissertation work of my PhD advisee Prithvi Bisht, who is also cc'd on this email. We solicit your feedback and comments.

--venkat


venkat venkatakrishnan
Assistant Professor
Computer Science
University of Illinois at Chicago
venkat at uic.edu
http://www.cs.uic.edu/~venkat
----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list