By Topic

Using Automated Fix Generation to Secure SQL Statements

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Thomas, S. ; North Carolina State Univ., Raleigh ; Williams, L.

Since 2002, over 10% of total cyber vulnerabilities were SQL injection vulnerabilities. Since most developers are not experienced software security practitioners, a solution for correctly fixing SQL injection vulnerabilities that does not require security expertise is desirable. In this paper, we propose an automated method for removing SQL injection vulnerabilities from Java code by converting plain text SQL statements into prepared statements. Prepared statements restrict the way that input can affect the execution of the statement. An automated solution allows developers to remove SQL injection vulnerabilities by replacing vulnerable code with generated secure code. In a formative case study, we tested our automated fix generation algorithm on five toy Java programs which contained seeded SQL injection vulnerabilities and a set of object traceability issues. The results of our case study show that our technique was able remove SQL injection vulnerabilities in five different statement configurations.

Published in:

Software Engineering for Secure Systems, 2007. SESS '07: ICSE Workshops 2007. Third International Workshop on

Date of Conference:

20-26 May 2007