LAUSR

SQL injection attack (SQLIA) is one of the most severe attacks that can be used against web database driving applications. Attackers use SQLIA to get unauthorized access and perform unauthorized data modification. To combat problem of SQLIA, different researchers proposed variety of tools and methods that can be used as defense barrier between client application and database server. However, these tools and methods failed to address the whole problem of SQL injection attack, because most of the approaches are vulnerable in nature, cannot resist sophisticated attack or limited to scope of subset of SQLIA type. With regard to this different researcher proposed different approach (experimental and analytical evaluation) to evaluate the effectiveness of these existing tools based on type SQLIAs they can detect or prevent. However, none of the researcher considers evaluating these existing tool or method based on their ability to be deployed in various injection parameters or development requirements therefore, in this study Kitchenham’s guidelines of performing systematic review of software for conducting our study. In this paper, we reviewed the tools and methods that are commonly used in detection and prevention of SQLIA, Finally, we analytically evaluated the reviewed tools and methods based on our experience with respect to SQIAs types and injection parameters. The evaluation result showed that most researchers focused on proposing approaches to detect and prevent SQLIAs, rather than evaluating the efficiency and effectiveness of the existing SQLIA detection and prevention tools/methods. The study also revealed that more emphasis was given by the previous studies on prevention measures than detection measures in combating problem of SQLIAs. An analysis showed that these tools and methods are developed to prevent subset of SQLIAs type and only few of them can be deployed to various injection parameters to be considered in examining SQLIAs. It further revealed that none of the tools or methods can be deployed to prevent attacks that can take advantage of second order (server side SQLIA) SQLI vulnerability. Finally, the study highlights the major challenges that require immediate response by developers and researchers in order to prevent the risk of being hacked through SQLIAs.