On the automated verification of web applications with embedded SQL

Shachar Itzhaky, Tomer Kotek, Noam Rinetzky, Mooly Sagiv, Orr Tamir, Helmut Veith, Florian Zuleger

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


A large number of web applications is based on a relational database together with a program, typically a script, that enables the user to interact with the database through embedded SQL queries and commands. In this paper, we introduce a method for formal automated verification of such systems which connects database theory to mainstream program analysis. We identify a fragment of SQL which captures the behavior of the queries in our case studies, is algorithmically decidable, and facilitates the construction of weakest preconditions. Thus, we can integrate the analysis of SQL queries into a program analysis tool chain. To this end, we implement a new decision procedure for the SQL fragment that we introduce. We demonstrate practical applicability of our results with three case studies, a web administrator, a simple firewall, and a conference management system.

Original languageEnglish
Title of host publication20th International Conference on Database Theory, ICDT 2017
EditorsGiorgio Orsi, Michael Benedikt
ISBN (Electronic)9783959770248
StatePublished - 1 Mar 2017
Event20th International Conference on Database Theory, ICDT 2017 - Venice, Italy
Duration: 21 Mar 201724 Mar 2017

Publication series

NameLeibniz International Proceedings in Informatics, LIPIcs


Conference20th International Conference on Database Theory, ICDT 2017


  • Decidability
  • Program verification
  • Reasoning
  • SQL
  • Scripting language
  • Two-variable fragment of First Order logic
  • Web services

All Science Journal Classification (ASJC) codes

  • Software

Cite this