A Comparative Analysis of Detection and Prevention Techniques of SQL Injection Attacks
Table of Contents
Project Risks and Risk Mitigation Strategies. 10
The nature of SQL injection attacks. 10
Different Types of SQL Injection Attacks. 10
Causes of Injection Attacks. 12
Detection Techniques of SQL Injections. 13
Preventive Techniques of SQL Injection Attacks. 15
Introduction
Due to the rapid technology growth, globalization and digitalization web application have become prevalent as it is used across most sectors such as e-commerce, money transfer, social networking and so on. According to Kindy & Pathan (2011) web application works based on its ability to interact with a database where vital information is stored. Web applications are highly inclined to diverse new security risks that are generated daily from different sources since the applications are hosted within the internet which holds a complex information infrastructure. Due to its cost efficiency, accessibility and confidentiality aspects the internet has become a critical information source for hackers. Despite existing measures to protect unauthorized access to data major attacks are rampant due to technology development. Based on Junjin (2009), SQL injections refer to one of the leading web attack approaches that are utilized by hackers to acquire confidential data from organizations in an unauthorized many. It is a form of attack, where hackers initiate spiteful SQL statements that assert control on the databases within the affected web application. In other words, SQL injection is an approach that explores an existing security vulnerability taking place in the database within the application. The attack normally takes advantage with regard to poor validation of input within the web administration. The attacks lead to the loss of integrity, confidentiality, data availability and security thus affecting the operations of the businesses. SQL injections allow hackers to gain access to the backend side of the database. Once they have this access, they can modify the SQL queries that are generated by the SQL database.
Irrespective of the type and size of business data is one of the most vital asset in the business landscape today which needs to be protected by applying the most suitable information security measures. Even though developers use a broad range of techniques to avoid SQL injections, it is still a common risk for many web applications. This calls for the need for the implementation of the best preventive techniques that can reduce the incidents of attack. Thus, the ability to identify and prevent databases related attacks is important in promoting business efficiency as well as guarding the privacy and confidentiality of information related to the business and client base.
This paper provides a comparative analysis of the various forms of SQL injection attacks. The paper also offers additional insights concerning the techniques that can be used by web application administrators to detect and prevent these attacks. The comparative analysis is based on the functionality, performance as well as practicality of each method. The comparison is done using the analytic approach. This means that the comparison of the techniques used to deploy the techniques is also carried out. The outcomes of the study will increase awareness about the importance of assessing the security levels of the applications using the suggested tools. Based on the approach of each tool the application administrators can choose the most effective technique to detect the vulnerabilities and to protect the systems against the SQL injection attacks.
Research ObjectiveThe objective of the research is to carry out a comparative analysis of the detection and preventive strategies for SQL injection attacks.
Research AimsThis study aims to:
- Analyze the detection techniques used to identify the vulnerabilities in applications
- Analyze the preventive methods used to protect systems against SQ injection attacks
- Carry out a comparative analysis of the detection and preventive techniques.
Today, web applications are commonly being used within the online platform for various purposes such as social networking and e-commerce businesses. Most companies today, have an established web application the objective is to effectively tap the online market as online services have become an important source of revenue and business growth (Kindy & Pathan, 2012). Most of these applications rely on the use of data-driven processes. Information and data are the most valuable asset that is owned by any given company in the business landscape today that helps in achieving a notable level of information security. Based on the structure of the web applications, they are exposed to some security threats one of them being SQL injection.
The attack allows hackers to get information illegitimately and the data usually contain sensitive and personal information such as financial information, credit card numbers, location and security codes (Halfond, Viegas & Orso, 2006). In such, the entire system is adversely affected and the attacks might lead to criminal activities such as identity theft, financial losses and loss of privacy and confidentiality. In addition, the activities might create fear among the customer base with respect to the affected firm for example for online banking leading to the loss of business. With the sudden increase of web applications and their functions like shopping online and making payments through the internet the security, efficiency and the reliability of the systems has to be adequate to reduce the cases of hacking and other malicious attacks. To do this effectively, the administrators have to take different security measure that can protect the databases from injection attacks (Shan, Xiaorui, & Hong 2010).
With respect to the web application reports on security, it has been established that SQL is one of the leading web security threat based on its complex infrastructure that is changing rapidly due to technology development thus affecting measures to develop solutions (Shehu & Xhuvani, 2014). SQL injection is among the common form of layer attacks and this database attack is used by mean and unauthorized people to steal data and confidential information. The attackers launch successful attacks on the databases by taking advantage of their security vulnerabilities. Most times, these vulnerabilities target the database layer of the web application (Shan, Xiaorui, & Hong 2010). The hackers also take advantage of the poor execution of input authentication in the source code and the database.
Unpermitted access to this type of data usually threatens the integrity and confidentiality of the information system. In so doing, the information system bears intense losses in the attempt to offer quality services to the web users and in most cases, the attack leads to complete destruction (Kumar & Pateriya, 2012). The attack is most used by database attackers in stealing sensitive information regarding the systems of different organizations as the means of destroying their competitive advantage or for personal gains such as financial theft. In the recent cases, protecting information has become a critical priority for most companies even within the healthcare sector because the leaking of confidential information due to hacking has been prevalent in destroying reputations leading to business depreciation.
The attacks are developed not only to destroy the security system and steal vital information but to make apparent modifications to the database system and contents. Thus, SQL injection remains to be a very intimidating attack in most cases which depends on the platform where the attack is placed and it successfully injects unauthorized users to the existing systems (Pooja, 2015). The attacks usually take place due to the fact that some vulnerabilities within the system are dominant and they, therefore, provide opportunities for hacking. The structure of the web application system is a challenging one and identifying the relationship between data can serve effectively in enhancing security within the entire system as a whole. The injected attacks are in most cases coded to eliminate any cases of detection by the existing defense mechanisms due to the integration with other attack approaches thus illustrating the significance of addressing the issue.
Research MethodologyThe current research takes the form of a quantitative research study that will use secondary research which entails the use of data and information which already exists in scholarly sources. In other words, it involves reviewing existing literature to develop feasible solutions to SQL injection web application attacks. The data gathered from previous publications on the same topic will be summarized and collated to enhance the overall effectiveness of the results. The sources include published research reports and manuscripts. These sources can be found in online journal databases and public libraries. Quantitative research was selected over a qualitative one because the results are quantifiable meaning that it eliminates chances of misinterpretations derived from assumptions. Sources will be selected based on their relevance to the study. In that, only the sources that addresses the detection and prevention criteria of SQL will be selected due to the need to produce reliable and credible results. Literature review following thematic approach is the data analysis approach that is used in summarizing and analyzing data into relevant themes.
Program Management Approach
The figure below outlines the program management approach . The researcher will use the saline approach of project management .In this approach, the project milestones are outlined beforehand and a sequential implementation of the steps entailed in the project plan is done. The steps are outlined in the figure belowProject Steps
Grant Chart: Task Breakdown Structure and Weekly Plan
|
Stages of Research |
Week 1 |
Week 2 |
Week 3 |
Week 4 |
Week 5 |
Week 6 |
Week 7 |
Week 8 |
Week 9 |
Week 10 |
Week 11 |
Week 12 |
Week 13
|
|
Selection of topic |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Meeting with supervisor |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Identifying secondary sources |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Literature Review |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Research Plan |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Selecting research method |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Data Analysis |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Reporting Findings |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Feedback and suggestions |
|
|
|
|
|
|
|
|
|
|
|
|
|
Communication Plan
Communication is an important aspect for conducting a research effectively. In the course of the project, the researcher will hold meetings with the supervisor to provide timely assessments of the progress. The communication plan below outlines the schedule of the meetings.
|
Communicaiton |
Frequency |
Goal |
|
Project Status Report |
Weekly |
Update supervisor on the status of the project |
|
Task Progress Update |
Weekly |
Porvdie updates of each milestone |
|
Project Review |
Weekly |
Discuss the entire project for review and feedback |
|
Project Completion |
Weekly |
Update the supervisor of the new chnages included in the final draft. |
Project Risks and Risk Mitigation Strategies
The project risks and the mitigation strategies are highlighted below
|
Project Impact |
High |
Moderate |
Low |
Mitigation |
|
Cost |
High budgetary research requirements |
Failure to compensate participants |
Inability to find free secondary sources |
Monitoring cost and budget |
|
Schedule |
Time constraints |
Incomplete data collection |
Late project submission |
Completing project milestones |
Results
The nature of SQL injection attacks
There are various cardinal types of Structured Query Language attackers. Even though some hackers usually execute each type separately, it is also possible to have a different kind of attacks done at the same time. Basically, the objective of the attack usually determines the nature of the attack, and what to be used. For example, more than often successful attacks use injection attacks that happen through the initial SQL query.
Different Types of SQL Injection Attacks
Tautologies: This attack happen when the hacker injects code using the conditional OR function. This, in turn, ensures that all qualifiers in the server are recorded as true statements.
Incorrect Queries: This takes places when the hacker attempts to collect data and information that is revealed in the error message. The error message can disclose details such as the structure and the nature of the database in the program (Shan, Xiaorui, & Hong 2010). The sensitive information can, in turn, be used to facilitate and launch a successful attack of the database.
Union Query: This involves the insertion of the UNION query into some of the parameters which have been identified as vulnerable. The insertion results in the return of a combination of the outcome of the initial consultation and those of the injected query (Shan, Xiaorui, & Hong 2010).The attack makes it difficult for the server to differentiate between legitimate and illegitimate insertions.
Stored Procedure: A large number of databases use defined standards for the procedures . The primary purposed of the standards is to improve the overall functionality and the responsiveness of the database. In turn, this makes the various interactions between the database and the operating system possible (Gupta, 2019). For instance, the hacker may attempt to run the stored procedures through a fake injection code.
Piggy-Backed Queries: this attack entails the attempts of the attacker to make extra fake queries into the initial and valid question. This results in the reception of numerous queries at the same time all of which need to be executed (Gupta, 2019). This vulnerability is considerably different because it is not dependent on the database.
Inference attacks: This SQL injection attack involves the modification of the behavior of the entire database. By making unauthorized changes, the hacker can gain access to the database change the objects contained in the database. The SWL attack is prevalent for the unsecured databases (Gupta, 2019).
Timing attacks: In this attack, the unauthorized person creates a code which runs on false and true statements (Gupta, 2019). The conditional statements produced by the hacker are injected through the vulnerable parameters that were yet to be secured. The hacker takes advantage of the time delays and the slowed responsiveness of the database.
Alternate Encodings: This involves changing the injected code to avoid detection. The approach takes advantage of the various limitations of the defensive practices of coding. In other instances, it automates the techniques used to prevent SQL injections (Wei, Muthuprasanna, & Kothari, 2006). This type of attack is typically used alongside the other types of attacks.
Causes of Injection Attacks
Invalidated inputs: Invalidated inputs are among the leading causes of the attacks. This is based on the fact that essentially the SQL query is made of various parameters including the insert, update, quotation marks and alters (Shan, Xiaorui, & Hong 2010). If the administrator fails to check the correct input methods, unauthorized people can take advantage of this vulnerability to modify the database.
Variable Size: Applications whose variables are uncontrollable and take up significant amounts of data storage are the other common cause of the SQL injection attacks. Malicious users exploit this vulnerability by entering fake values as input.
Error Message: These messages are revealed when the administrator or the user inputs wrong or fake details into to database application (Gupta, 2019). Hackers take advantage of this vulnerability by getting the structures of the scripts. The other common way of exploitation is of accessing sensitive information that has been stored in the database. This information and access can be used by the hacker to create a successful database attack.
Exclusive client-side control: If the application accepts the validation of the input from the scripts on the client side only the hacker can override the security function of the party and proceed to invalidate the information and to gain access to the database (Gupta, 2019). This is attributable to the fact that most systems are not secured on the client side.
Subselect: This cause of the injection attacks results from the direct insertion of the SQL query into the location query. The outcome of the introduction of vulnerabilities in the database. Hackers can attain this through the by insertion of an into out file clause in the form (Hartley, 2012).
Stored Procedure: The stored procedure describes a program which is comprised of several functions all of which can be called to execution different times. When the hacker tries to change the procedures into calls, the stored procedures becomes the call instead of the original services (Hartley, 2012). Doing this allows the hacker to execute, modify and damage the database.
Generous Privileges: the privileges describes the rights and the permissions that e access to the database and its respective objects. Some common examples of privileges include select, insert and delete. If the system has generous privileges, the attacker can get access by bypassing the authentication procedure to gain these and more opportunities.
Detection Techniques of SQL InjectionsAdministrators can use two main detective techniques to safeguard their applications from SQL attacks. The first involves the design of a technique which can be used reliably to detect and identify the precise form of SQL attack. The second approach entails gaining advanced capability and capacity and being able to execute a program that can easily identify a potential attack (Gupta, 2019). The subsequent sections describe the various methods used to detect the weaknesses of the SQL injections.
Unit Gen Tool
This detection tool entails the application of a Unit Gen tool (Roy, 2011). This tool works similarly with the Find Bug tools used for static analysis (Gupta, 2019). The Unit Gen tool carries out automated tests that are needed to detect and attempts to manipulate the input vulnerabilities. The efficiency of this detection technique is demonstrated by the ability of the tool to accept false positives (Roy, 2011). The tool ensures that unauthorized people cannot use fake codes to get access to the database.
Static Analysis Framework
Under this model, it can determine the different vulnerabilities of the database, most especially during the compiling process. For example, according to Gupta (2019), the static framework can carry out a special nature of analysis of the white box, together with the hybrid constraint solver. The byte code technique which is comprised of different strings is most suitable for the proposed approach. The administrator also has the alternative of carrying out a string analysis, which augurs well with Integer, as well as Boolean variables.
Roichman and Gaudet's Scheme
In this detective approach the scheme monitors the access to the database. The administrator can supervise it supervised by the various integrating types of access controls in the applications. The approach creates robust solutions to the vulnerability which stems from the traceability of the SQL session (Clarke, 2009). The other benefit of this detection system is that it is widely applicable to most types of database applications.
SQL-IDS Approach
Under this kind of approach, the technique is focused on the security of the system specifications. The detection approach enables the discovery of the system vulnerabilities that would be susceptible to the SQL injections (Clarke, 2009). The advantage of the technique is that this is executed without the production of false positives or false negatives (Gupta, 2019). The approach is even faster during the operation, although it needs a detailed analysis and comparison of other approaches.
Statement Generational Algorithm
Under this approach, the system has been designed to remove or reduce vulnerabilities of injection attacks. This happens through the automatically generated algorithm, and some of them include; web goat, net trust, roller, and trust.
Database Design Testing
This technique detects which is based on the tests carried out on the database, and it can detect weaknesses through scrutinizing the input points. More so, the approach is also able to detect vulnerabilities of injection attacks beforehand, hence reducing incidences of attacks. The detection tool can carry out all these by incorporating simulation attacks, and it is also important to note that the system becomes even much effective by detecting the attacks beforehand.
Test Case Generation
Thanks to the ability to automatically carry out test cases, this technique is constantly able to note any nature of vulnerabilities. The system is based on the integration of a particular prototype which deals with the queries axiomatically (Gupta, 2019). This technique can also be used to identify the various dependencies in the smaller questions. The efficiency of the approach is relatively high as it can detect the vulnerabilities 85% of the time (Cherry, 2013).
Preventive Techniques of SQL Injection AttacksWhen it comes to the prevention measures laid down to avert the attacks above, the database administrators can make use of any solid techniques to remove and reduce vulnerabilities present within a system. These preventive measures can protect the database against the hackers and intruders who rely on the weaknesses and the vulnerabilities that were not detected by the detection techniques discussed in the previous section.
In the section below, the paper has focused on 12 preventive techniques that can be carried out before and after running the system to prevent it from any sort of attacks. Nevertheless, it is important to note that besides detecting injection attacks, these techniques can be used to stop or alleviate the exploitation of hackers.
SQL and Scheme
This technique involves the randomization the query language of the application (Cherry, 2013). The application developers ensure that a typical target application is targeted during the implementation of the security protocols. The resultant scheme is a preventive framework that allows the administrator to make quires through random instructions rather than the typical SQL keywords (Pandurang, & Karia, 2015).
The proxy filters included in the design ensures that the queries made to the database are prevented while at the same time de-randomizing the keywords (Cherry, 2013). This implies that if an attacked puts the SQL code into the program, it would be blocked by the instruction set of the randomized keywords (Cherry, 2013). The injected code would produce an incorrect query which would result in a syntax error. The proposed approach has a high performance of 90% of the overheads which are placed on each question (Pandurang, & Karia, 2015).
SQL DOM Scheme
Under this prevention method, it involves the use of class sets which are incorporated into the databases scheme (Cherry, 2013). The preventive technique detects the current vulnerabilities of the application while at the same time ensuring that rightful users have access to the database. The scheme can detect the barriers of the interactions between the user and the database and prevent them. This is attained using the call level interfaces. The approach is suitable for applications which require a safe communication environment (Cherry, 2013).
Parse Tree Validation
This preventive technique terminates all the executable false statements unless they have consent from the administrator (Cherry, 2013). The preventive approach is mostly used for the SQL Guard applications. The limitations of the technique include the overhead computation and the back lists that sometimes deny authorized users access to the database (Cherry, 2013).
SQLCHECK Approach
This preventive approach is executed in the real time. The process of preventing the attacks starts which ascertaining that the inputs align with the data that were defined by the developer (Cherry, 2013). The technique also makes use of a confidential key to delimit the inputs of the user. The approach does not show false outputs. Instead, the developer runs it overhead, and its execution is direct (Cherry, 2013).
DIWeDa Approach
This approach detects malicious attacks and prevents SQL injection attacks on the program. The developers include intrusion during the development phase. The model acts as a session-level more than a transaction phase (Cherry, 2013). Researchers assert that the preventive technique is both efficient and effective in identifying the injections and the violations of the system (Carter, 2018).
Hash Value Scheme
This preventive technique involves the use of the hash values which define the user name and the passwords. When using this approach, the hash values are formed and calculated as the system continues running (Carter, 2018). The scheme has a high overhead as the result of its ability to secure most web applications against SQL injection attacks (Cherry, 2013).
Manual Approach
This is another significant technique that can be employed to help the system avert or not experience SQL attacks. According to Cherry (2013), manual approach can be used to handle manipulation vulnerabilities that are present in a system. But when developers are using the kind of a technique, they review the code and then execute programming that is on a defensive mode. During the review of the code, the administrator can apply an affordable technique for bug detection (Cherry, 2013). The approach needs the developers to have advanced knowledge about the SQLIAs (Carter, 2018). Defensive programming entails the incorporation of an input filter which would prevent the users from entering suspicious keywords.
Automated Approach
This model or framework entails the use of two important models, namely; FindBugs and Static analysis. These two special models can be used to check if a system has vulnerabilities. Also, they can detect the different types of viruses present in a system, and consequently send out a message or a notice. The beauty of this approach is that these two systems can poke, as well as scan the applications. Each framework also can examine how the system responds to potential attacks.
Removing SQL query attribute values
The last, but not the least approach of preventing system injection attacks is to find a way on how attribute values of the SQL can be removed. The approach is preferred because of its ability to carry out both static and dynamic investigation (Cherry, 2013). The preventive technique also gets rid of the attribute values during runtime by comparing these values with those which were implemented to detect any cases of injection.
DISCUSSIONThe comparative analysis and discourse of the different techniques of detecting and stopping SQL injections is pegged on the performance and the efficiency of each technique. The analyses details how each of the methods works against well know types of injection attacks. The best detection and prevention technique is that which can successfully identify all kinds of attacks and prevent them. The worst techniques are those who do not have the guarantee of detecting some types of attacks (Cherry, 2013). Although other researchers for detection and prevention have suggested several approaches, only a few methods can be used practically.
Injection techniques should have the ability to detect the two fundamental types of attacks. When weaknesses or vulnerabilities are detected in the stored procedures, the codes which are employed to come up with query generation should be stored and executed on the database (Cherry, 2013). Most of the detection techniques only target the queries which are generated by the application rather than its database. This is attributable to the view that including detection techniques which would work at the database level is not only costly but strenuous as well. This means that the attacks which target the stored procedure are mostly undetected by most of the techniques.
It is important to note that unlike the stored procedures attacks, the attacks which are directed on alternate encoding are more likely to be difficult to manage. Out of the detection types highlighted in this research, only the SQL Check, and the SQL Guard techniques can effectively deal with the attacks which target alternate encoding (Cherry, & Larock 2011). The feature which allows the two methods to deal with the alternate encoding attacks effectively is that they have an integrated database parse that clarifies the string of the query. This is the same process used by the database (Cherry, & Larock 2011).
Aside from SQL Check and SQL Guard, the other detection techniques that have high performance are the developer-oriented approaches. These define the mechanism which deals with the attacks using the standard API which in most cases is the SQLDOM. In addition to this, the preventive approaches can detect the susceptibilities present within a system, to avert SQL attacks. The best methods are those who use a different approach in choosing the criteria and the attributes that qualify to generate queries (Cherry, & Larock 2011).
The defensive techniques also differentiate between those who can add checks and securities in the application from those who do not. The former ensures the enforcement of the most useful coding practices, the latter focus on preventing the attacks by stopping the quires in the course of run time (Cherry, 2013). The preventive techniques which can handle most types of vulnerabilities are those who have integrated the premise of defensive coding in its mechanism of preventing attacks.
Conclusion
In summary, SQL is an information security threat that is connected to the internet connected database. It is the ability to detect and implement preventative measures that help in safeguarding information security. Due to the changing technology and the rising number of skilled attackers they are able to identify weaknesses within the system thus taking advantage of such systems. SQL is one of the most threatening and prevalent information system attacks but it is preventable and this should be a consideration of any given project prior to implementing the network. The paper offers a discussion of some of the most feasible detection as well as prevention approaches while dealing with such attacks. With the rapid technology growth, the need to enhance efficiency and expand businesses within the online platform information security is needed.
References
Carter, P. A. (2018). SQL Injection. Securing SQL Server, 221-245. Doi: 10.1007/978-1-4842-4161-5_10
Cherry, D. (2013). SQL Injection Attacks. Securing SQL Server, 221-247. doi:10.1016/b978-1-59-749947-7.00008-3
Cherry, D., & Larock, T. (2011). SQL Injection Attacks. Securing SQL Server, 149-169. doi:10.1016/b978-1-59749-625-4.10006-x
Clarke, J. (2009). Exploiting SQL Injection. SQL Injection Attacks and Defense, 137-218. doi:10.1016/b978-1-59749-424-3.00004-9
Gupta, S. (2019). SQL Injection Attack. Ethical Hacking – Orchestrating Attacks. Doi: 10.1007/978-1-4842-4340-4_9
Halfond, W. G., Viegas, J., & Orso, A. (2006, March). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (Vol. 1, pp. 13-15). IEEE.
Hartley, D. (2012). What Is SQL Injection? SQL Injection Attacks and Defense, 1-25. doi:10.1016/b978-1-59-749963-7.00001-3
Junjin, M. (2009, April). An approach for SQL injection vulnerability detection. In 2009 Sixth International Conference on Information Technology: New Generations (pp. 1411-1414). IEEE.
Kindy, D. A., & Pathan, A. S. K. (2011, June). A survey on SQL injection: Vulnerabilities, attacks, and prevention techniques. In 2011 IEEE 15th international symposium on consumer electronics (ISCE) (pp. 468-471). IEEE.
Kindy, D. A., & Pathan, A. S. K. (2012). A detailed survey on various aspects of sql injection in web applications: Vulnerabilities, innovative attacks, and remedies. arXiv preprint arXiv:1203.3324.
Kumar, P., & Pateriya, R. K. (2012, July). A survey on SQL injection attacks, detection and prevention techniques. In 2012 Third International Conference on Computing, Communication and Networking Technologies (ICCCNT'12) (pp. 1-5). IEEE.
Pandurang, R. M., & Karia, D. C. (2015). Impact analysis of preventing cross site scripting and SQL injection attacks on web application. 2015 IEEE Bombay Section Symposium (IBSS). doi:10.1109/ibss.2015.7456668
Pooja Saini, S. (2015). Survey and Comparative Analysis of SQL Injection Attacks, Detection and Prevention Techniques for Web Applications Security. International Journal on Recent and Innovation Trends in Computing and Communication, 3(6), 4148-4153.
Roy, S. (2011). Detecting and Defeating SQL Injection Attacks. International Journal of Information and Electronics Engineering. doi:10.7763/ijiee.2011.v1.6
Shan, L., Xiaorui, D., & Hong, R. (2010). An adaptive method preventing database from SQL injection attacks. 2010 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE). doi:10.1109/icacte.2010.5579002
Shehu, B., & Xhuvani, A. (2014). A Literature Review and Comparative Analyses on SQL Injection: Vulnerabilities, Attacks and their Prevention and Detection Techniques. International Journal of Computer Science Issues (IJCSI), 11(4), 28.
Wei, K., Muthuprasanna, M., & Kothari, S. (2006). Preventing SQL injection attacks in stored procedures. Australian Software Engineering Conference (ASWEC06). doi:10.1109/aswec.2006.40.
