• Proceedings of the Korean Society of Computer Information Conference
• /
• 2015.07a
• /
• pp.77-78
• /
• 2015

본 논문에서는 S/W 개발 보안 지침의 사례로서 SQL 삽입에 대하여 설명한다. SQL 삽입은 입력 데이터 검증 및 표현에서 S/W 취약점 유형의 하나이다. 본 논문에서는 SQL 삽입에서 취약점 설명, 취약점 개념도, 보안 대책, 그리고 코드 예제까지 설명하도록 한다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.3
• /
• pp.455-464
• /
• 2020

With a variety of data types and high utilization of data, non-relational databases are a popular data storage because it supports better availability and scalability. The increasing use of this technology also brings the risk of NoSQL injection attacks. Existing works mostly discuss the rule-based detection of NoSQL injection attacks that it is hard to deal with NoSQL queries beyond the coverage of the rules. In this paper, we propose a model for detecting NoSQL injection attacks. Our model is based on deep learning algorithms that select features from NoSQL queries using CNN, and classify NoSQL queries using RNN. Also, we experiment the proposed model to compare with existing models, and find that our model outperforms traditional models in terms of detection rate.

• The KIPS Transactions:PartA
• /
• v.15A no.3
• /
• pp.181-188
• /
• 2008

Nowadays, most web sites are developed using dynamic web pages where web pages are generated and transmitted by web application programs. Therefore, the ratio of attacks injecting malevolent strings to vulnerable web applications is increasing. In this paper, we present a static program analyzer which analyzes whether a web application program has vulnerabilities to the SQL injection attack and the cross site scripting(XSS) attack. To analyze programs using abstract interpretation framework, we designed an abstract domain which models potential string set along with excluded strings and developed an abstract interpreter for the PHP language. Also, based on them, we implemented a static analyzer. According to our experiments, our analyzer has competitive analysis speed and accuracy compared with related research results.

• Journal of the Korea Society of Computer and Information
• /
• v.24 no.11
• /
• pp.127-133
• /
• 2019

SQL is the most common language in data processing. Therefore, most of the colleges offer SQL in their curriculum. In this research, an auto scoring SQL test is proposed for the efficient results of SQL education. The system was treated with algorithms instead of using expensive DBMS(Data Base Management System) for automatic scoring, and satisfactory results were produced. For this system, the test question bank was established out of 'personnel management' and 'academic management'. It provides users with different sets of test each time. Scoring was done by dividing tables into two sections. The one that does not change the table(select) and the other that actually changes the table(update, insert, delete). In the case of a search, the answer and response were executed at first and then the results were compared and processed, the user's answers are evaluated by comparing the table with the correct answer. Modification, insertion, and deletion of table actually changes the data table, so data was restored by using ROLLBACK command. This system was implemented and tested 772 times on the 88 students in Computer Information Division of our college. The results of the implementation show that the average scoring time for a test consisting of 10 questions is 0.052 seconds, and the performance of this system is distinguished considering that multiple responses cannot be processed at the same time by a human grader, we want to develop a problem system that takes into account the difficulty of the problem into account near future.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2014.04a
• /
• pp.441-444
• /
• 2014

인터넷의 보급에 따른 신속정확하고 편리한 정보처리의 장점에도 불구하고 최근 들어 급증하고 있는 보안 관련 사고들로 인하여 개인정보 및 기업정보의 관리에 대한 대책 마련이 시급한 가운데 있다. 그 중에서도 SQL 삽입 공격에 의한 악의적인 관리자 권한 획득 및 비정상적인 로그인 등으로 인하여 많은 피해가 발생하고 있다. 현재 SQL Injection에 관련된 대부분의 연구는 공격을 탐지하는 방법에 초점이 맞추어져 있다. 본 논문에서는 프로그램 코드를 분석하여 따옴표가 포함된 취약한 인라인 SQL 쿼리 구문을 찾아서 매개변수화된 쿼리로 변경하는 기능을 제공함으로써 근본적인 해결책을 찾고자 하였으며 Java, C#.net 등 다양한 언어를 지원하여 개발 업무에서의 활용성을 높이고자 하였다.

• Journal of the Korea Society of Computer and Information
• /
• v.9 no.4 s.32
• /
• pp.5-12
• /
• 2004

The data transformation between XML and Relation Database is made through the Principle of mapping bewtween them. There are two ways to access SQL Server, one is to assign SQL query to URL and the other is to use template file. MS-SQL server takes advantage of OpenXML function to transform the results of executing SQL query into XML documents. That is, OpenXML first makes node tree and then transforms row set data of XML documents into XML data of relation type. In order to insert XML data into database data. data is extracted from parsing XML documents using sp_xml_preparedocument procedure, and then the document structure is mapped into tree structure and stored in a table of database. Consequently, Data transformation between XML and Relation Database is made through mapping bewtween them. This article proposes the principle of mapping between XML and Relation Database and then shows the implementation of transformation between them so that it introduces the possibilty of bringing the extension and efficiency of data and various effects.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2008.10a
• /
• pp.139-142
• /
• 2008

While a lot of comparisons of DBMS performance for processing large scale database are given as results of bench-mark tests, there are few comparisons of DBMS performance for processing small scale database. Therefore, in this study, we compared and analyzed on the performance of commercial DBMS and public DBMS for small scale database. Analysis results show that while Oracle has low performance on the operations of update and insert due to the overhead of rollback for data safety, MySQL and MS-SQL have good performance without additional overhead.

• Journal of the Korean Institute of Intelligent Systems
• /
• v.18 no.3
• /
• pp.306-310
• /
• 2008

XQuery is a new recommendation for XML query. As an efforts for extending XQuery capabilities XML insertion and deletion are being studied and its standardization are going on. Initially XML databases are developed simply for XML document management. Now their functions are extending to OLTP. In this paper we are adding updating functions to XQuery processing system that is developed only for XQuery retrievals. We suggest the structure of tables, numbering schemes for hierarchical structures, and the methods for SQL translations for XQuery updates.

• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.12 no.11
• /
• pp.1999-2004
• /
• 2008

While a lot of comparisons of DBMS performance for processing large scale database are given as results of bench-mark tests, there are few comparisons of DBMS performance for processing small scale database. Therefore, in this study, we compared and analyzed on the performance of commercial DBMS and public DBMS for small scale database. Analysis results show that while Oracle has low performance on the operations of update and insert due to the overhead of rollback for data safely, MySQL and MS-SOL have good performance without additional overhead.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2014.05a
• /
• pp.622-625
• /
• 2014

As Big data began to produce a variety of values, a database that allows for huge amount of data with varieties became to be needed. Therefore, for the purpose of overcoming the limitations of the complexity and capacity of the existing RDBMS, NoSQL databases were introduced. Among the different types of NoSQL databases, MongoDB is most commonly used and is offered as open sources. The B-Tree index, used in MongoDB, experiences a significant decrease in performance as the amount of data increases. The fractal tree index enables to enhance the performance of B-Tree substantially by improving B-Tree's insertion algorithm. In this paper, the performances of MongoDB when using B-Tree Index and when using Fractal Tree Index are compared.