Process Using Universal Sanitization to Prevent Injection Attacks

摘要

Injection attacks, particularly SQL Injection (SQLi), remains the top risk in software, despite extensive research on methods to prevent these attacks. A novel process is set forth that would prevent injection attacks in all cases, including secondary injection, without interfering with legitimate queries. The technique is based on a simple algorithm for sanitizing input character data, rather than on a particular technology. As such, this sanitizing solution would apply to all programming languages and databases, including NoSQL databases. An alternative approach, using the sanitized version of the data in order to determine whether the original input character data contains potentially malicious data, is also set forth.

主权项

1. A method performed by at least one computer processor for transforming character data that is input to the computer system, comprising the steps of:
a) receiving, by the computer processor, untrusted character data from a user, file, or other sources; and b) encoding, by the computer processor, said untrusted character data into data consisting of the hexadecimal digit representation that corresponds to the underlying numeric values used by said computer processor to store and process said untrusted character data; or c) receiving, by the first computer processor, character data sent from a second computer system to the first, where said data is encoded by the means described above in b); and d) decoding, by the first computer processor, of the received character data from hexadecimal digit representation into corresponding numeric values used by said first computer processor for storing and processing character data.