Evaluating and mitigating SQL injections in web applications: developing a prototype

Keywords: SQL injection, web application security, prototype, usability, Scrum methodology.

Abstract

In the current context of increasing digital vulnerability, SQL injections continue to pose a critical threat to web application security. To address this issue, SecureSQLTester was developed—a prototype aimed at detecting and mitigating SQL injection attacks, designed to be accessible to developers and small businesses. The proposal was based on a systematic review of existing techniques, integrating both classical and advanced protection approaches. The prototype was developed using the agile Scrum methodology, which enabled progressive improvements through iterative work cycles. Usability tests were conducted with software engineering students, who evaluated the tool in simulated scenarios. The results show that SecureSQLTester accurately identifies SQL vulnerabilities in the evaluated applications. However, opportunities for improvement were identified in the user interface, as well as the need to enhance parameter customization according to the usage context. Overall, the findings support the potential of the prototype as an effective and low-cost tool to strengthen cybersecurity in small- and medium-scale development environments and to promote the adoption of best practices throughout the software lifecycle.

Downloads

Download data is not yet available.

References

E. A. Medellín Cabrera, “Un modelo de gestión de la transformación digital para la innovación,” 360: Revista de Ciencias de la Gestión, Nov. 2024, doi: 10.18800/360gestion.202409.009.

A. Hernández and J. Mejía, “Guía de ataques, vulnerabilidades, técnicas y herramientas para aplicaciones web,” ReCIBE. Revista electrónica de Computación, Informática Biomédica y Electrónica, vol. 4, no. 1, Feb. 2015.

C. Añasco Loor, K. Morocho, and M. Hallo, “Using Data Mining Techniques for the Detection of SQL Injection Attacks on Database Systems,” Revista Politécnica, vol. 51, no. 2, pp. 19–28, May 2023, doi: 10.33333/rp.vol51n2.02.

J. S. Monar Monar, D. M. Pastor Ramirez, G. de L. Arcos Medina, and M. A. Oñate Andino, “Técnicas de programación segura para mitigar vulnerabilidades en aplicaciones web,” Congreso de Ciencia y Tecnología ESPE, vol. 13, no. 1, Jun. 2018, doi: 10.24133/cctespe.v13i1.753.

J. R. Tadhani, V. Vekariya, V. Sorathiya, S. Alshathri, and W. El-Shafai, “Securing web applications against XSS and SQLi attacks using a novel deep learning approach,” Sci Rep, vol. 14, no. 1, p. 1803, Jan. 2024, doi: 10.1038/s41598-023-48845-4.

Geeta Sandeep Nadella, Hari Gonaygunta, Deepak Kumar, and Priyanka Pramod Pawar, “Exploring the impact of AI-driven solutions on cybersecurity adoption in small and medium enterprises,” World Journal of Advanced Research and Reviews, vol. 22, no. 1, pp. 1199–1197, Apr. 2024, doi: 10.30574/wjarr.2024.22.1.1185.

J. P. Z. Proano and V. C. Párraga Villamar, “Systematic mapping study of literature on educational data mining to determine factors that affect school performance,” in Proceedings - 3rd International Conference on Information Systems and Computer Science, INCISCOS 2018, Institute of Electrical and Electronics Engineers Inc., Dec. 2018, pp. 239–245. doi: 10.1109/INCISCOS.2018.00042.

F. Faisal Fadlalla and H. T. Elshoush, “Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-Art,” IEEE Access, vol. 11, pp. 40128–40161, 2023, doi: 10.1109/ACCESS.2023.3266385.

B. K. B. Kalaiselvi, M. S. Chandu, M. Narendra, and M. Deekshith Kumar, “SQL-Injection Vulnerability Scanning Tool for Automatic Creation of SQL-Injection Attacks,” International Journal of Advances in Engineering and Management, vol. 7, no. 1, pp. 577–587, Jan. 2025, doi: 10.35629/5252-0701577587.

H. Saeed, I. Shafi, J. Ahmad, A. A. Khan, T. Khurshaid, and I. Ashraf, “Review of Techniques for Integrating Security in Software Development Lifecycle,” Computers, Materials & Continua, vol. 82, no. 1, pp. 139–172, 2025, doi: 10.32604/cmc.2024.057587.

H. Gupta, S. Mondal, S. Ray, B. Giri, R. Majumdar, and V. P. Mishra, “Impact of SQL Injection in Database Security,” in 2019 International Conference on Computational Intelligence and Knowledge Economy (ICCIKE), IEEE, Dec. 2019, pp. 296–299. doi: 10.1109/ICCIKE47802.2019.9004430.

R. Damaševičius and L. Zailskaitė-Jakštė, “Usability and Security Testing of Online Links: A Framework for Click-Through Rate Prediction Using Deep Learning,” Electronics (Basel), vol. 11, no. 3, p. 400, Jan. 2022, doi: 10.3390/electronics11030400.

S. S. M. M. Rahman et al., “OSCRUM: A Modified Scrum for Open Source Software Development,” International journal of simulation: systems, science & technology, Jan. 2019, doi: 10.5013/IJSSST.a.19.03.20.

G. Mendoza, “Qué Ejemplo Práctico Ilustra la Metodología Scrum en Proyectos,” Pasaporte Mexicano. Accessed: Jun. 11, 2025. [Online].Available:https://pasaporte-mexicano.com/que-ejemplo-practico-ilustra-la-metodologia-scrum-en proyectos/?expand_article=1

K. Dunwoodie, L. Macaulay, and A. Newman, “Qualitative interviewing in the field of work and organisational psychology: Benefits, challenges and guidelines for researchers and reviewers,”Applied Psychology, vol. 72, no. 2, pp. 863–889, Apr. 2023, doi: 10.1111/apps.12414.

D. Hix and R. Hartson, Developing User Interfaces: Ensuring Usability Through Product and Process, vol. 4, no. 1. Wiley, 1994. doi: 10.1002/STVR.4370040109.

C. Lopezosa, “Entrevistas semiestructuradas con NVivo: pasos para un análisis cualitativo eficaz,” in Methodos Anuario de Métodos de Investigación en Comunicación Social, 1, Universitat Pompeu Fabra, 2020, pp. 88–97. doi: 10.31009/methodos 2020.i01.08.

J. W. Castro, “Incorporación de la Usabilidad en el Proceso de Desarrollo Opencas Source Software,” Tesis Doctoral, Escuela Politécnica Superior, Universidad Autónoma de Madrid, Madrid, España, 2014.

Published
2025-07-07
How to Cite
[1]
N. Rodriguez Gavilanes, B. Loor Mendoza, and L. Llerena Guevara, “Evaluating and mitigating SQL injections in web applications: developing a prototype”, LAJC, vol. 12, no. 2, pp. 13-25, Jul. 2025.
Section
Research Articles for the Regular Issue