Detecting and preventing SQL injection attacks: A formal approach

Mohammad Qbea'H, Mohammad Alshraideh, Khair Eddin Sabri

Research output: Chapter in Book/Report/Conference proceedingConference contribution

21 Citations (Scopus)


There are many organizations using databases to store and hide confidential data. Some of these data are published through World Wide Web (WWW) and the remaining data are hidden. Unfortunately, the attackers usually try to access and steal these hidden data by attacking the structure and the content of the database using an attacking technique called Structural Query Language Injection Attack (SQLIA). This technique gives the attackers illegal authorization to execute queries on database through the vulnerabilities in input boxes and page URL's. These queries may reveal or change the confidential data. Many techniques are available in the literature to prevent and detect SQLIA. However, these techniques do not consider languages other than the English language such as Arabic, Greek, and Japanese. Therefore, these techniques may not be able to discover attacks using such languages. In this paper, we present a formal approach to detect and prevent common types of SQLIA considering multi-languages. We formalize tautology and alternative encoding attacks using regular expressions and finite automata. We consider cases not discussed in the literature. Furthermore, we provide regular expressions and code in which can be used by developers to detect and prevent attacks on websites that use Microsoft SQL server 2014 (MSSQL). We validate our work manually and by using tools. Results show that our model can detect and prevent SQL injection attacks including languages other than the English language.

Original languageEnglish
Title of host publicationProceedings - 2016 Cybersecurity and Cyberforensics Conference, CCC 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages7
ISBN (Electronic)9781509026579
Publication statusPublished - Oct 18 2016
Externally publishedYes
Event1st Cybersecurity and Cyberforensics Conference, CCC 2016 - Amman, Jordan
Duration: Aug 2 2016Aug 4 2016

Publication series

NameProceedings - 2016 Cybersecurity and Cyberforensics Conference, CCC 2016


Conference1st Cybersecurity and Cyberforensics Conference, CCC 2016


  • Encoding
  • Finite Automata
  • Regular Expression
  • SQL Injection
  • Website Security

ASJC Scopus subject areas

  • Law
  • Computer Networks and Communications


Dive into the research topics of 'Detecting and preventing SQL injection attacks: A formal approach'. Together they form a unique fingerprint.

Cite this