SQL DOM

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

SQL DOM: compile time checking of dynamic SQL statements

Full text

Pdf (353 KB)

Source

International Conference on Software Engineering archive
Proceedings of the 27th international conference on Software engineering table of contents

St. Louis, MO, USA

SESSION: Databases table of contents

Pages: 88 - 96

Year of Publication: 2005

ISBN:1-59593-963-2

Authors

Russell A. McClure	University of California, San Diego, La Jolla, CA
Ingolf H. Krüger	University of California, San Diego, La Jolla, CA

Sponsors

ACM: Association for Computing Machinery
SIGSOFT: ACM Special Interest Group on Software Engineering

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 29, Downloads (12 Months): 146, Citation Count: 12

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1062455.1062487 What is a DOI?

ABSTRACT

Most object oriented applications that involve persistent data interact with a relational database. The most common interaction mechanism is a call level interface (CLI) such as ODBC or JDBC. While there are many advantages to using a CLI -- expressive power and performance being two of the most key -- there are also drawbacks. Applications communicate through a CLI by constructing strings that contain SQL statements. These SQL statements are only checked for correctness at runtime, tend to be fragile and are vulnerable to SQL injection attacks. To solve these and other problems, we present the SQL DOM: a set of classes that are strongly-typed to a database schema. Instead of string manipulation, these classes are used to generate SQL statements. We show how to extract the SQL DOM automatically from an existing database schema, demonstrate its applicability to solve the mentioned problems, and evaluate its performance.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	.NET Framework. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/html/netfxanchor.asp, 2004.
	2	ADO.NET. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaccessingdatawithadonet.asp, 2004.
	3	Malcolm Atkinson , Ronald Morrison, Orthogonally persistent object systems, The VLDB Journal — The International Journal on Very Large Data Bases, v.4 n.3, July 1995
	4	American National Standard for Information Technology. Database languages -- SQLJ -- Part 1: SQL routines using the Java programming language. Technical Report ANSI/INCITS 331.1-1999, InterNational Committee for Information Technology Standards (formerly NCITS), 1999.
	5	Brant, J., and Yoder, J. W. Creating reports with query objects. In Harrison, N., Foote, B., and Rohnert, H., editors, Pattern Languages of Program Design 4. Addison Wesley, 2000.
	6	C#. http://msdn.microsoft.com/vcsharp/, 2004.
	7	Cengija, D. Hibernate your data. onJava.com, 2004.
	8	Clark, J., and DeRose, S. XML Path Language (XPath) Version 1.0. Technical report, W3C, 1999.
	9	Cook, W., and Rai, S. Safe Query Objects: Statically-typed objects as remotely-executable queries. http://www.cs.utexas.edu/users/wcook/Drafts/SafeQuery_CookRai.pdf, 2004.
	10	Dub, J. A., Sapir, R., and Purich, P. Oracle Application Server TopLink application developers guide, 10g (9.0.4). Oracle Corporation, 2003.
	11	Embedded SQL for C. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/esqlforc/ec_6_epr_01_3m03.asp, 2004.
	12	Carl Gould , Zhendong Su , Premkumar Devanbu, Static Checking of Dynamically Generated Queries in Database Applications, Proceedings of the 26th International Conference on Software Engineering, p.645-654, May 23-28, 2004
	13	Hamilton, G., and Cattell, R. JDBC patterns. Sun Microsystems, 2003.
	14	Michael Howard , David E. Leblanc, Writing Secure Code, Microsoft Press, Redmond, WA, 2002
	15	Keller, W. Mapping objects to tables - a pattern language. In Proceedings of the 1997 European Pattern Languages of Programming Conference, number 120/SW1/FB in Siemens Technical Report, Irsee, Germany, X. EA Generali, Vienna, Austria.
	16	Daan Leijen , Erik Meijer, Domain specific embedded compilers, Proceedings of the 2nd conference on Domain-specific languages, p.109-122, October 03-06, 1999, Austin, Texas, United States
	17	David Maier, Representing database programs as objects, Advances in database programming languages, ACM Press, New York, NY, 1990 [doi>10.1145/101620.101642]
	18	Matena, V., and Hapner, M. Enterprise Java Beans Specification 1.0. Sun Microsystems, 1998.
	19	Oracle SQLJ Roadmap, http://www.oracle.com/technology/tech/java/sqlj_jdbc/pdf/oracle_sqlj_roadmap.pdf, 2004.
	20	Russell, C. Java Data Objects (JDO) Specification JSR-12. Sun Microsystems, 1998.
	21	Roger E. Sanders, ODBC 3.5 Developer's Guide, McGraw-Hill Professional, 1998
	22	Smith, E. J. CodeSmith. http://www.ericjsmith.net/codesmith/, 2004.

CITED BY 12

	Zhendong Su , Gary Wassermann, The essence of command injection attacks in web applications, ACM SIGPLAN Notices, v.41 n.1, p.372-382, January 2006
	William G. J. Halfond , Alessandro Orso, AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks, Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, November 07-11, 2005, Long Beach, CA, USA
	Nicolas Juillerat, Enforcing code security in database web applications using libraries and object models, Proceedings of the 2007 Symposium on Library-Centric Software Design, p.31-41, October 21-21, 2007, Montreal, Canada
	Tal Cohen , Joseph (Yossi) Gil , Itay Maman, JTL: the Java tools language, ACM SIGPLAN Notices, v.41 n.10, October 2006
	William G. J. Halfond , Alessandro Orso, Preventing SQL injection attacks using AMNESIA, Proceeding of the 28th international conference on Software engineering, May 20-28, 2006, Shanghai, China
	William G. J. Halfond , Alessandro Orso , Panagiotis Manolios, Using positive tainting and syntax-aware evaluation to counter SQL injection attacks, Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering, November 05-11, 2006, Portland, Oregon, USA
	Joseph (Yossi) Gil , Keren Lenz, Eliminating impedance mismatch in C++, Proceedings of the 33rd international conference on Very large data bases, September 23-27, 2007, Vienna, Austria
	Joseph (Yossi) Gil , Keren Lenz, Simple and safe SQL queries with c++ templates, Proceedings of the 6th international conference on Generative programming and component engineering, October 01-03, 2007, Salzburg, Austria
	Muhammad Sher , Thomas Magedanz, A vulnerabilities analysis and corresponding middleware security extensions for securing NGN applications, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.16, p.4697-4709, November, 2007
	Martin Bravenboer , Eelco Dolstra , Eelco Visser, Preventing injection attacks with syntax embeddings, Proceedings of the 6th international conference on Generative programming and component engineering, October 01-03, 2007, Salzburg, Austria
	Sruthi Bandhakavi , Prithvi Bisht , P. Madhusudan , V. N. Venkatakrishnan, CANDID: preventing sql injection attacks using dynamic candidate evaluations, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
	Adam Kieyzun , Philip J. Guo , Karthick Jayaraman , Michael D. Ernst, Automatic creation of SQL Injection and cross-site scripting attacks, Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, p.199-209, May 16-24, 2009