1. Field of the Invention
The present invention relates generally to computer software and system security. More specifically, the invention relates to protecting software applications and related databases from unauthorized and malicious operations.
2. Description of the Related Art
Software applications and programs typically utilize data stored in some type of data storage area. Often such applications store a wide range of data and retrieve and update the data frequently. In one scenario, a software application may be an online user application, such as a program that is used by the public over the Internet. Such a program, executing on a server (e.g., a Web server) often has a database associated with the program. The database may be implemented on a separate database server. Users may have to log on to the application using a browser in order to access the application. The application may use a database to authenticate and verify users, for example, by checking user IDs and passwords. These and other types of data are received by the online application and then typically transformed into a format which can be used to query the database. For example, the application has a programming or scripting language (e.g., Java or C++) and the database has a separate programming language, which may be described as being embedded or functional within the application programming language. If the database is relational, the language is the well-known structured query language or SQL.
An increasingly prevalent issue with online programs, and with conventional desktop applications, is security vulnerabilities that can occur when one programming or scripting language is embedded in another programming language. A specific instance of these vulnerabilities exists when an application or program uses a relational database, that is, when SQL is embedded in another application programming language. This vulnerability allows hackers to perform what are referred to as SQL injections. Hackers or other unauthorized entities enter data using an application's normal user interface knowing that the data will be converted to a specific type of SQL statement which, in turn, will be used to modify or retrieve data from the database, change passwords and security settings, lock out administrators, and the like. In other words, the hacker is causing the injection of an SQL statement into the application's database that will cause some type of harmful or unexpected behavior in the application. SQL injections are security vulnerabilities that occur in what may be referred to as the “database layer” of an application. It allows the unauthorized and harmful retrieval and modification of data in a relational database. Hackers can take advantage of these vulnerabilities to steal information, modify or destroy data, get administrator privileges and perform other undesirable acts.
There are no reliable or widespread solutions to dealing with SQL injection vulnerabilities in application code. Presently, application developers who are aware of SQL injection dangers prevent SQL injection by following advice and programming practices and tips that minimize the possibility of SQL injections by hackers. These programming guidelines do not cover all SQL injection issues. When new SQL injection techniques and practices appear, application developers have to update their code and may have to re-program their entire application to deal with the new issues which are becoming increasingly complicated.