Inline views : protecting against SQL injection attacks while providing access to aggregate values

In this work we describe a novel technique applicable to already existing web applications, in order to protect them against classic SQL injection attacks. We focus on the definition of security policies from the point of view of the web application administrator, and their automatic transformation into correct SQL statements that will act as an inline view, and replace every occurrence of the table that needs to be protected; in this way each query will only target the data that can be accessed by the application user, instead of the original database table. The novelty of this work consist into the definition of certain rules that allow not only to transform simple policies into the actual temporary views, but also allow to retrieve aggregate results (such as sum or average of other data) in a correct way; a simple drop in replacement of a view that only makes available a subset of the original data, would in fact return wrong results in case of selection of aggregate values. With this work we want to show the feasibility of this approach, and the performance impact that it brings to the target applications.