Abstract
Most modern web applications rely on retrieving updated data from a database. In response to a request from a web page, the application will generate a SQL query, and often incorporate portions of the user input into the query. SQL injection refers to injecting crafted malicious SQL query segments to change the intended effect of a SQL query. The hacker could access unauthorized data, or even gain complete control over the web server or back-end database system. SQL injection attack has become one of the top web application vulnerabilities. In this project, I surveyed different types of SQL injection attacks and the corresponding countermeasure strategies proposed by other researchers. A new technique to detect and prevent SQL injection attacks is presented; the basic idea is to insert a validation process between the generation of SQL query and the query execution. The technique consists of both static analysis of web application code and runtime validation check of dynamically generated SQL query. Following four steps are involved: Identify hotspot; analyze SQL query; initialization; and runtime validation check. The project was implemented using JAVA. Performance evaluation was also conducted.