Article ID | Journal | Published Year | Pages | File Type |
---|---|---|---|---|
551980 | Information and Software Technology | 2009 | 10 Pages |
Abstract
Since 2002, over 10% of total cyber vulnerabilities were SQL injection vulnerabilities (SQLIVs). This paper presents an algorithm of prepared statement replacement for removing SQLIVs by replacing SQL statements with prepared statements. Prepared statements have a static structure, which prevents SQL injection attacks from changing the logical structure of a prepared statement. We created a prepared statement replacement algorithm and a corresponding tool for automated fix generation. We conducted four case studies of open source projects to evaluate the capability of the algorithm and its automation. The empirical results show that prepared statement code correctly replaced 94% of the SQLIVs in these projects.
Keywords
Related Topics
Physical Sciences and Engineering
Computer Science
Human-Computer Interaction
Authors
Stephen Thomas, Laurie Williams, Tao Xie,