A Classification of SQL Injection Attacks and Techniques to Defend These Attacks in the Passive Defense

SQL injection attacks are a serious security threat to web applications in cyberspace. SQL injection attacks allow attackers to gain unlimited access to a database that includes applications and potentially sensitive information. Although researchers and practitioners have proposed different methods to solve the SQL injection problem, current approaches either fail to solve the full scope of the problem or have limitations that prevent their use and adoption. Many researchers and practitioners are familiar with only a subset of a wide range of available techniques to defend against SQL injection attacks. This paper provides a classification based on a comprehensive review of current techniques to defend against SQL injection attacks. This classification helps military and government organizations to understand the techniques of defense against SQL injection attacks. Hence, based on this classification, military and government organizations can choose appropriate techniques depending on their resources and environments. To deal with the problem of SQL injection attacks, this study provides a survey on various types of SQL injection attacks that are known today, with examples of how attacks can be made. Various methods are described to diagnose SQL injection vulnerabilities, and also existing detection and prevention techniques against SQL injection attacks are investigated. For each technique, a classification is made about its features, its strengths and weaknesses in dealing with SQL injection attacks.