Association for Computing Machinery
SQL injection attacks are one of the topmost threats for applications written for the Web. These attacks are launched through specially crafted user input on web applications that use low level string operations to construct SQL queries. In this paper, the authors exhibit a novel and powerful scheme for automatically transforming web applications to render them safe against all SQL injection attacks. A characteristic diagnostic feature of SQL injection attacks is that they change the intended structure of queries issued. Their technique for detecting SQL injection is to dynamically mine the programmer-intended query structure on any input, and to detect attacks by comparing them against the intended query structure.