On the automated verification of web applications with embedded SQL

Shachar Itzhaky, Tomer Kotek, Noam Rinetzky, Mooly Sagiv, Orr Tamir, Helmut Veith, Florian Zuleger

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


A large number of web applications is based on a relational database together with a program, typically a script, that enables the user to interact with the database through embedded SQL queries and commands. In this paper, we introduce a method for formal automated verification of such systems which connects database theory to mainstream program analysis. We identify a fragment of SQL which captures the behavior of the queries in our case studies, is algorithmically decidable, and facilitates the construction of weakest preconditions. Thus, we can integrate the analysis of SQL queries into a program analysis tool chain. To this end, we implement a new decision procedure for the SQL fragment that we introduce. We demonstrate practical applicability of our results with three case studies, a web administrator, a simple firewall, and a conference management system.

Original languageEnglish
Title of host publication20th International Conference on Database Theory, ICDT 2017
EditorsGiorgio Orsi, Michael Benedikt
PublisherSchloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing
ISBN (Electronic)9783959770248
StatePublished - 1 Mar 2017
Event20th International Conference on Database Theory, ICDT 2017 - Venice, Italy
Duration: 21 Mar 201724 Mar 2017

Publication series

NameLeibniz International Proceedings in Informatics, LIPIcs
ISSN (Print)1868-8969


Conference20th International Conference on Database Theory, ICDT 2017


FundersFunder number
Austrian National Research NetworkS11403-N23
Austrian Science Fund


    • Decidability
    • Program verification
    • Reasoning
    • SQL
    • Scripting language
    • Two-variable fragment of First Order logic
    • Web services

    Cite this