<  Back to the Polytechnique Montréal portal

Insider threat resistant SQL-injection prevention in PHP

Ettore Merlo, Dominic Letarte and Giuliano Antoniol

Technical Report (2006)

Published Version
Terms of Use: All rights reserved.
Download (609kB)
Cite this document: Merlo, E., Letarte, D. & Antoniol, G. (2006). Insider threat resistant SQL-injection prevention in PHP (Technical Report n° EPM-RT-2006-04).
Show abstract Hide abstract


Web sites are either static sites, programs, or databases. Very often they are a mixture of these three aspects integrating relational databases as a back-end. Web sites require configuration and programming attention to assure security, confidentiality, and trustiness of the published information. SQL-injection attacks rely on some weak validation of textual input used to build database queries. Maliciously crafted input may threaten the confidentiality and the security policies of Web sites relying on a database to store and retrieve information. Furthermore, insiders may introduce malicious code in a Web application, code that, when triggered by some specific input, for example, would violate security policies. This paper presents an original approach that combines static analysis, dynamic analysis, and code reengineering to automatically protect applications written in PHP from both malicious input (outsider threats) and malicious code (insider threats) that carry SQLinjection attacks. The paper also reports preliminary results about experiments performed on an old SQL-injection prone version of phpBB (version 2.0.0, 37193 LOC of PHP version 4.2.2 code). Results show that our approach successfully improved phpBB-2.0.0 resistance to SQLinjection attacks.

Uncontrolled Keywords

SQL-injection, software security analysis, sofware re-engineering

Open Access document in PolyPublie
Subjects: 2700 Technologie de l'information > 2700 Technologie de l'information
2700 Technologie de l'information > 2711 Gestion de bases de données
Department: Département de génie informatique et génie logiciel
Research Center: Non applicable
Funders: National Sciences and Engineering Research Council of Canada (NSERC)
Date Deposited: 12 Jun 2018 10:46
Last Modified: 16 Jun 2021 17:09
PolyPublie URL: https://publications.polymtl.ca/3138/
Document issued by the official publisher
Report number: EPM-RT-2006-04


Total downloads

Downloads per month in the last year

Origin of downloads

Repository Staff Only