Writing Secure Code
A Simple and Practical Approach to Unit Testing: The JML and JUnit Way
ECOOP '02 Proceedings of the 16th European Conference on Object-Oriented Programming
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
The BEA streaming XQuery processor
The VLDB Journal — The International Journal on Very Large Data Bases
OOPSLA '04 Companion to the 19th annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications
Knowledge for Software Security
IEEE Security and Privacy
Automatic discovery of API-level exploits
Proceedings of the 27th international conference on Software engineering
Context-sensitive program analysis as database queries
Proceedings of the twenty-fourth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems
Combining static analysis and runtime monitoring to counter SQL-injection attacks
WODA '05 Proceedings of the third international workshop on Dynamic analysis
Finding application errors and security flaws using PQL: a program query language
OOPSLA '05 Proceedings of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Using parse tree validation to prevent SQL injection attacks
SEM '05 Proceedings of the 5th international workshop on Software engineering and middleware
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Using positive tainting and syntax-aware evaluation to counter SQL injection attacks
Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Real-time Java from an automated code generation perspective
JTRES '07 Proceedings of the 5th international workshop on Java technologies for real-time and embedded systems
WASP: Protecting Web Applications Using Positive Tainting and Syntax-Aware Evaluation
IEEE Transactions on Software Engineering
Protecting Database Centric Web Services against SQL/XPath Injection Attacks
DEXA '09 Proceedings of the 20th International Conference on Database and Expert Systems Applications
Living city: a collaborative browser-based Massively Multiplayer Online Game
Proceedings of the 3rd International ICST Conference on Simulation Tools and Techniques
Code-motion for API migration: fixing SQL injection vulnerabilities in Java
Proceedings of the 4th Workshop on Refactoring Tools
Automated removal of cross site scripting vulnerabilities in web applications
Information and Software Technology
Automatically preparing safe SQL queries
FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Test input generation for database programs using relational constraints
DBTest '12 Proceedings of the Fifth International Workshop on Testing Database Systems
Developing secure web applications
International Journal of Internet Technology and Secured Transactions
Information and Software Technology
Automated Insertion of Exception Handling for Key and Referential Constraints
Journal of Database Management
Hi-index | 0.00 |
Since 2002, over 10% of total cyber vulnerabilities were SQL injection vulnerabilities (SQLIVs). This paper presents an algorithm of prepared statement replacement for removing SQLIVs by replacing SQL statements with prepared statements. Prepared statements have a static structure, which prevents SQL injection attacks from changing the logical structure of a prepared statement. We created a prepared statement replacement algorithm and a corresponding tool for automated fix generation. We conducted four case studies of open source projects to evaluate the capability of the algorithm and its automation. The empirical results show that prepared statement code correctly replaced 94% of the SQLIVs in these projects.