Authors : Amit Hariyani; Dr. Prashant Dolia

Volume/Issue : Volume 10 - 2025, Issue 3 - March

Google Scholar : https://tinyurl.com/3tfpebwt

Scribd : https://tinyurl.com/4vd97smc

DOI : https://doi.org/10.38124/ijisrt/25mar1982

Google Scholar

Note : A published paper may take 4-5 working days from the publication date to appear in PlumX Metrics, Semantic Scholar, and ResearchGate.

Note : Google Scholar may take 15 to 20 days to display the article.

Abstract : SQL injection (SQLi) remains a major security threat to database-driven applications, making it essential to protect the confidentiality, integrity, and availability of data. In this research, we summarize effective strategies to prevent SQL injection attacks (SQLIAs), such as parameterized queries, stored procedures, Object Relational Mappers (ORM), input validation, input escaping, and Web Application Firewalls (WAF). We assess each technique based on how well it works, how easy it is to use, and its impact on performance, with real-world examples to show their use. Our literature review covers research from the past five years, highlighting the changing nature of SQLi threats and the improvements in prevention methods. This study offers a detailed look at effective SQLi prevention techniques and their implementation, and a comparison of their effectiveness. By understanding and using these approaches, organizations can significantly reduce the risk of SQLIAs and protect their important data.

Keywords : SQL Injection, Database Security, Parameterized Queries, Stored Procedures, ORM, Input Validation.

References :

1. L. Ma, D. Zhao, Y. Gao and C. Zhao, ”Research on SQL Injection Attack and Prevention Technology Based on Web,” 2019 International Conference on Computer Network, Electronic and Automation (ICCNEA), Xi’an, China, (2019), pp. 176-179, doi: 10.1109/ICCNEA.2019.00042.
2. Omer Aslan, Semih Serkant Aktu ¨ ˘g and Merve Ozkan-Okay, ”A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and Solutions”, (2023) Electronics 12(6):1-42, DOI: 10.3390/electronics12061333.
3. A. Al Anhar and Y. Suryanto, ”Evaluation of Web Application Vulnerability Scanner for Modern Web Application,” 2021 International Conference on Artificial Intelligence and Computer Science Technology (ICAICST), Yogyakarta, Indonesia (2021), pp. 200-204, doi: 10.1109/ICAICST53116.2021.9497831.
4. Xue Ping-Chen, “SQL injection attack and guard technical research”, Procedia Engineering, Volume 15, (2011), Pages 4131-4135, ISSN 1877-7058, https://doi.org/10.1016/j.proeng.2011.08.775.
5. Harshavardhan Gaddam and M. Maheshwari, ”SQL Injection-Biggest Vulnerability of the Era”, EasyChair Preprint no. 4175, September 13, (2020)
6. Yuchong Li, Qinghui Liu, ”A comprehensive review study of cyberattacks and cyber security; Emerging trends and recent developments”, Energy Reports, Volume 7, (2021), Pages 8176-8186, ISSN 2352-4847, https://doi.org/10.1016/j.egyr.2021.08.126.
7. Ma, L., Gao, Y., Zhao, D., Zhao, ”Research on SQL injection attack and prevention technology based on web.”, International Conference on Computer Network, Electronic and Automation (ICCNEA), pp. 176–179 (2019)
8. Mona Alsalamah 1, Huda Alwabli 1, Hutaf Alqwifli 1, and Dina M. Ibrahim, ”A Review Study on SQL Injection Attacks, Prevention and Detection”, The ISC Int’l Journal of Information Security, November (2021), Volume 13, pp. 1-9
9. Raniah Alsahafi, ”SQL Injection Attacks: Detection And PreventionTechniques”, International Journal of Scientific And Technology Research, Volume 8, Issue 01, January (2019). pp. 182-185
10. https://owasp.org/www-project-web-security-testing guide/latest/4- Web Application Security Testing/07-Input Validation Testing/05.7- Testing for ORM Injection
11. https://deep4k.medium.com/orm-injection-80ffa48d305e
12. Parveen SULTANA and Nishant SHARMA, “Prevention of SQL Injection Using a Comprehensive Input Sanitization Methodology”, Recent Developments in Electronics and Communication Systems (2023), pp. 276- 282, doi:10.3233/ATDE221269
13. https://offensive360.com/second-order-sql-injection-attack/, December 21, (2021).
14. V. Clincy and H. Shahriar, ”Web Application Firewall: Network Security Models and Configuration,” 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), Tokyo, Japan, (2018), pp. 835-836, doi: 10.1109/COMPSAC.2018.00144.
15. Saher Manaseer and Ahmad K. Al Hwaitat, “Centralized Web Application Firewall Security System”, Modern Applied Science (2018); Vol. 12, No. 10; 2018
16. Open Web Application Security Project (OWASP), ”The Open Web Application Security Project (OWASP): SQL Injections as Critical Weakness in Web-Based Systems”, (2023), https://owasp.org/www-project-top-ten/
17. Alsmadi, I, AlEroud, A & Saifan, AA 2021, ”Fault-based testing for discovering SQL injection vulnerabilities in web applications”, International Journal of Information and Computer Security, (2021) vol. 16, no. 1-2, pp. 51-62. https://doi.org/10.1504/IJICS.2021.117394
18. Umar Farooq, ”Ensemble Machine Learning Approaches for Detection of SQL Injection Attack”, (2021) Tehniˇcki glasnik. 15. 112-120. 10.31803/tg20210205101347.
19. Zhou, Fei, Honghai Fan, Yuhan Liu, Hongbao Zhang, and Rongyi Ji. (2023). ”Hybrid Model of Machine Learning Method and Empirical Method for Rate of Penetration Prediction Based on Data Similarity” Applied Sciences 13, no. 10: 5870. https://doi.org/10.3390/app13105870
20. B. Brindavathi, A. Karrothu and C. Anilkumar, ”An Analysis of AI-based SQL Injection (SQLi) Attack Detection,” 2023 Second International Conference on Augmented Intelligence and Sustainable Systems (ICAISS), Trichy, India, (2023), pp. 31-35, doi: 10.1109/ICAISS58487.2023.10250505.
21. Demilie, W.B., Deriba, F.G. Detection and prevention of SQLI attacks and developing compressive framework using machine learning and hybrid techniques. J Big Data 9, 124 (2022). https://doi.org/10.1186/s40537-022-00678-0
22. Kakisim, A.G. A deep learning approach based on multi-view consensus for SQL injection detection. Int. J. Inf. Secur. 23, 1541–1556 (2024). https://doi.org/10.1007/s10207-023-00791-y
23. Peng Tang, Weidong Qiu, Zheng Huang, Huijuan Lian, Guozhen Liu, Detection of SQL injection based on artificial neural network, Knowledge-Based Systems, Volume 190, (2020), 105528, ISSN 0950-7051, https://doi.org/10.1016/j.knosys.2020.105528.
24. B. I. Mukhtar and M. A. Azer, ”Evaluating the Modsecurity Web Application Firewall Against SQL Injection Attacks,” 2020 15th International Conference on Computer Engineering and Systems (ICCES), Cairo, Egypt, (2020), pp. 1-6, doi: 10.1109/ICCES51560.2020.9334626.
25. F.F.Fadlalla and H.T.Elshoush, “Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State of the Art”, IEEE Access, (2023), Digital Object Identifier 10.1109/ACCESS.2023.3266385.
26. M.H.Ali and M.N.Jasim, “Review of SQL injection attacks: Detection, to enhance the security of the website from client-side attacks”, Int. J. Nonlinear Anal. Appl. 13 (2022) 1, 3773-3782 ISSN: 2008-6822 (electronic) http://dx.doi.org/10.22075/ijnaa.2022.6152
27. R.F.Sidik, S.N.Yutia and R.Z.Fathiyana, “The Effectiveness of Parameterized Queries in Preventing SQL Injection Attacks at Go”, Proceedings of the International Conference on Enterprise and Industrial Systems (ICOEINS 2023), 10.2991/978-94-6463-340-5 18
28. Lu, Dongzhe, Jinlong Fei, and Long Liu. 2023. ”A Semantic Learning-Based SQL Injection Attack Detection Technology” Electronics 12, no. 6: 1344, (2023). https://doi.org/10.3390/electronics12061344
29. https://auth0.com/blog/sqlalchemy-orm-tutorial-for-python-developers/
30. https://docs.sqlalchemy.org/en/20/orm/
31. https://www.analyticsvidhya.com/blog/2022/07/a-brief-introduction-to-sqlalchemy/
32. Ochieng, Fredrick and Kaburu, Dennis and John, Ndia G., ”AutomationBased User Input SQL Injection Detection and Prevention Framework”, (May 2, 2023). Computer and Information Science; Vol. 16, No. 2; (2023); https://doi.org/10.5539/cis.v16n2p51, Available at SSRN: https://ssrn.com/abstract=4439431
33. Angshuman Jana and Dipendu Maity, “Code-based Analysis Approach to Detect and Prevent SQL Injection Attacks” , 2020 11th International Conference on Computing, Communication and Networking Technologies (ICCCNT), (2022), DOI: 10.1109/ICCCNT49239.2020.9225575
34. M. Hasan, Z. Balbahaith and M. Tarique, ”Detection of SQL Injection Attacks: A Machine Learning Approach,” 2019 International Conference on Electrical and Computing Technologies and Applications (ICECTA), Ras Al Khaimah, United Arab Emirates, (2019), pp. 1-6, doi: 10.1109/ICECTA48151.2019.8959617.
35. J. M. Alkhathami and S. M. Alzaharani, “Detection of Sql Injection Attacks Using Machine Learning in Cloud Computing Platform”, Journal of Theoretical and Applied Information Technology, (2022), pp. 5446 – 5459.
36. Reddy, M., Latchoumi, T., Balamurugan, ”Applied machine learning predictive analytics to SQL injection attack detection and prevention.” Eur. J. Mol. Clin. Med. 7, 3543–3553 (2020)
37. Pattewar, T., Patil, H., Patil, H., Patil, N., Taneja, M., Wadile, T.: ”Detection of SQL injection using machine learning: a survey”. Int. Res. J. Eng. Technol. (IRJET) 6, 239–246 (2019)