Evaluating and mitigating SQL injections in web applications: developing a prototype
Abstract
In the current context of increasing digital vulnerability, SQL injections continue to pose a critical threat to web application security. To address this issue, SecureSQLTester was developed—a prototype aimed at detecting and mitigating SQL injection attacks, designed to be accessible to developers and small businesses. The proposal was based on a systematic review of existing techniques, integrating both classical and advanced protection approaches. The prototype was developed using the agile Scrum methodology, which enabled progressive improvements through iterative work cycles. Usability tests were conducted with software engineering students, who evaluated the tool in simulated scenarios. The results show that SecureSQLTester accurately identifies SQL vulnerabilities in the evaluated applications. However, opportunities for improvement were identified in the user interface, as well as the need to enhance parameter customization according to the usage context. Overall, the findings support the potential of the prototype as an effective and low-cost tool to strengthen cybersecurity in small- and medium-scale development environments and to promote the adoption of best practices throughout the software lifecycle.
Downloads
References
E. A. Medellín Cabrera, “Un modelo de gestión de la transformación digital para la innovación,” 360: Revista de Ciencias de la Gestión, Nov. 2024, doi: 10.18800/360gestion.202409.009.
A. Hernández and J. Mejía, “Guía de ataques, vulnerabilidades, técnicas y herramientas para aplicaciones web,” ReCIBE. Revista electrónica de Computación, Informática Biomédica y Electrónica, vol. 4, no. 1, Feb. 2015.
C. Añasco Loor, K. Morocho, and M. Hallo, “Using Data Mining Techniques for the Detection of SQL Injection Attacks on Database Systems,” Revista Politécnica, vol. 51, no. 2, pp. 19–28, May 2023, doi: 10.33333/rp.vol51n2.02.
J. S. Monar Monar, D. M. Pastor Ramirez, G. de L. Arcos Medina, and M. A. Oñate Andino, “Técnicas de programación segura para mitigar vulnerabilidades en aplicaciones web,” Congreso de Ciencia y Tecnología ESPE, vol. 13, no. 1, Jun. 2018, doi: 10.24133/cctespe.v13i1.753.
J. R. Tadhani, V. Vekariya, V. Sorathiya, S. Alshathri, and W. El-Shafai, “Securing web applications against XSS and SQLi attacks using a novel deep learning approach,” Sci Rep, vol. 14, no. 1, p. 1803, Jan. 2024, doi: 10.1038/s41598-023-48845-4.
Geeta Sandeep Nadella, Hari Gonaygunta, Deepak Kumar, and Priyanka Pramod Pawar, “Exploring the impact of AI-driven solutions on cybersecurity adoption in small and medium enterprises,” World Journal of Advanced Research and Reviews, vol. 22, no. 1, pp. 1199–1197, Apr. 2024, doi: 10.30574/wjarr.2024.22.1.1185.
J. P. Z. Proano and V. C. Párraga Villamar, “Systematic mapping study of literature on educational data mining to determine factors that affect school performance,” in Proceedings - 3rd International Conference on Information Systems and Computer Science, INCISCOS 2018, Institute of Electrical and Electronics Engineers Inc., Dec. 2018, pp. 239–245. doi: 10.1109/INCISCOS.2018.00042.
F. Faisal Fadlalla and H. T. Elshoush, “Input Validation Vulnerabilities in Web Applications: Systematic Review, Classification, and Analysis of the Current State-of-the-Art,” IEEE Access, vol. 11, pp. 40128–40161, 2023, doi: 10.1109/ACCESS.2023.3266385.
B. K. B. Kalaiselvi, M. S. Chandu, M. Narendra, and M. Deekshith Kumar, “SQL-Injection Vulnerability Scanning Tool for Automatic Creation of SQL-Injection Attacks,” International Journal of Advances in Engineering and Management, vol. 7, no. 1, pp. 577–587, Jan. 2025, doi: 10.35629/5252-0701577587.
H. Saeed, I. Shafi, J. Ahmad, A. A. Khan, T. Khurshaid, and I. Ashraf, “Review of Techniques for Integrating Security in Software Development Lifecycle,” Computers, Materials & Continua, vol. 82, no. 1, pp. 139–172, 2025, doi: 10.32604/cmc.2024.057587.
H. Gupta, S. Mondal, S. Ray, B. Giri, R. Majumdar, and V. P. Mishra, “Impact of SQL Injection in Database Security,” in 2019 International Conference on Computational Intelligence and Knowledge Economy (ICCIKE), IEEE, Dec. 2019, pp. 296–299. doi: 10.1109/ICCIKE47802.2019.9004430.
R. Damaševičius and L. Zailskaitė-Jakštė, “Usability and Security Testing of Online Links: A Framework for Click-Through Rate Prediction Using Deep Learning,” Electronics (Basel), vol. 11, no. 3, p. 400, Jan. 2022, doi: 10.3390/electronics11030400.
S. S. M. M. Rahman et al., “OSCRUM: A Modified Scrum for Open Source Software Development,” International journal of simulation: systems, science & technology, Jan. 2019, doi: 10.5013/IJSSST.a.19.03.20.
G. Mendoza, “Qué Ejemplo Práctico Ilustra la Metodología Scrum en Proyectos,” Pasaporte Mexicano. Accessed: Jun. 11, 2025. [Online].Available:https://pasaporte-mexicano.com/que-ejemplo-practico-ilustra-la-metodologia-scrum-en proyectos/?expand_article=1
K. Dunwoodie, L. Macaulay, and A. Newman, “Qualitative interviewing in the field of work and organisational psychology: Benefits, challenges and guidelines for researchers and reviewers,”Applied Psychology, vol. 72, no. 2, pp. 863–889, Apr. 2023, doi: 10.1111/apps.12414.
D. Hix and R. Hartson, Developing User Interfaces: Ensuring Usability Through Product and Process, vol. 4, no. 1. Wiley, 1994. doi: 10.1002/STVR.4370040109.
C. Lopezosa, “Entrevistas semiestructuradas con NVivo: pasos para un análisis cualitativo eficaz,” in Methodos Anuario de Métodos de Investigación en Comunicación Social, 1, Universitat Pompeu Fabra, 2020, pp. 88–97. doi: 10.31009/methodos 2020.i01.08.
J. W. Castro, “Incorporación de la Usabilidad en el Proceso de Desarrollo Opencas Source Software,” Tesis Doctoral, Escuela Politécnica Superior, Universidad Autónoma de Madrid, Madrid, España, 2014.
Copyright Notice
Authors who publish this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution-Non-Commercial-Share-Alike 4.0 International 4.0 that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.
Disclaimer
LAJC in no event shall be liable for any direct, indirect, incidental, punitive, or consequential copyright infringement claims related to articles that have been submitted for evaluation, or published in any issue of this journal. Find out more in our Disclaimer Notice.