Abstract: Web application security is a serious isssuc of information security, and SQL- injection is one of the most com- mon attacks. This paper proposed an approach to counter SQL Injection which combines static mod}matching and dy- namic fcaturcfiltering. It learned automatically the structure feature of all legal SQL statements to construct knowledge library in safe environments, and then matched every SQL statement with knowledge library in real environments. If succeeded , this SQL statement was considered to be legitimate. If failed, it was not determined to be illegal immediately. We would take depth-feature check based on Valucat Risk,and identitify the true illegal SQL statements. Experimental results prove that this proposed approach has good performance and perfect protection for SQL Injection.

Key words: Sclf-lcarning,SQL Syntax-trcc,Pattcrn-marthing,Fcaturcfiltcring