1. Field of the Invention
The present invention relates to database security. More specifically, the present invention relates to a method and an apparatus for providing query-level security for a database system.
2. Related Art
Databases commonly store highly sensitive data, such as salaries, corporate financial data, and even classified military secrets. Consequently, database systems are typically designed to prevent unauthorized accesses to sensitive data. This problem is compounded by the fact that middle-tier applications often access a database on behalf of various users. Consequently, the database system must often rely on applications to provide access control mechanisms. Although applications that access databases typically ensure that a given query originates from an authorized user, many of these applications are vulnerable to a form of attack known as “SQL injection.”
In order to perform SQL injection, a user provides an input to an application which includes an SQL statement. In doing so, the user knows that the application will incorporate this input, which includes the SQL statement, into a query, and that the SQL statement will cause the query to retrieve data which is different from the data that the application intended to retrieve.
For example, suppose a user enters the value “5” into a ProdID field of a web form, so that the web form submits the value 5 to an associated application. The application then forms a SQL statement such as:                SELECT prize, color FROM inventory WHERE ProdID=5.This query returns the values from the prize and color columns of the inventory table for an entry where the ProdID field contains the value 5.        
Instead of simply entering the value “5” into the web form, the user can input the string “5 OR 1=1” into the web form. When the application substitutes this string into the query, the following query is formed.                SELECT prize, color FROM inventory WHERE ProdID=5 OR 1=1.This query, in contrast to the original query, returns values from the prize and color columns in every row of the inventory table!        
The above is just one example of SQL injection. This is a well-known problem and will not be described further.
Currently, database applications perform tests on queries to detect SQL injection. While these tests can be effective, there are many drawbacks to this solution. Requiring each application to perform tests for SQL injection requires a significant amount of effort on the part of the application developers to include code into applications to perform these tests. Additionally, since different applications are typically developed by different developers, there is generally a lack of consistency in applying these tests across different applications.
Hence, what is needed is a method and an apparatus for providing query-level security for a database without the problems described above.