Result: On the Automated Verification of Web Applications with Embedded SQL

Title:
On the Automated Verification of Web Applications with Embedded SQL
Authors:
Itzhaky, Shachar, Kotek, Tomer, Rinetzky, Noam, Sagiv, Mooly, Tamir, Orr, Veith, Helmut, Zuleger, Florian
Contributors:
Shachar Itzhaky and Tomer Kotek and Noam Rinetzky and Mooly Sagiv and Orr Tamir and Helmut Veith and Florian Zuleger
Publisher Information:
Schloss Dagstuhl – Leibniz-Zentrum für Informatik
Publication Year:
2017
Collection:
DROPS - Dagstuhl Research Online Publication Server (Schloss Dagstuhl - Leibniz Center for Informatics )
Subject Terms:
SQL, scripting language, web services, program verification, two-variable fragment of first order logic, decidability, reasoning
Document Type:
Academic journal article in journal/newspaper<br />conference object
File Description:
application/pdf
Language:
English
Relation:
Is Part Of LIPIcs, Volume 68, 20th International Conference on Database Theory (ICDT 2017); https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ICDT.2017.16
DOI:
10.4230/LIPIcs.ICDT.2017.16
Availability:
https://doi.org/10.4230/LIPIcs.ICDT.2017.16
https://nbn-resolving.org/urn:nbn:de:0030-drops-70509
https://drops.dagstuhl.de/entities/document/10.4230/LIPIcs.ICDT.2017.16
Rights:
https://creativecommons.org/licenses/by/3.0/legalcode
Accession Number:
edsbas.8B4379F7
Database:
BASE

Further Information

A large number of web applications is based on a relational database together with a program, typically a script, that enables the user to interact with the database through embedded SQL queries and commands. In this paper, we introduce a method for formal automated verification of such systems which connects database theory to mainstream program analysis. We identify a fragment of SQL which captures the behavior of the queries in our case studies, is algorithmically decidable, and facilitates the construction of weakest preconditions. Thus, we can integrate the analysis of SQL queries into a program analysis tool chain. To this end, we implement a new decision procedure for the SQL fragment that we introduce. We demonstrate practical applicability of our results with three case studies, a web administrator, a simple firewall, and a conference management system.