Article Preview
TopSQLIA is that an attacker attempts to change the logic, semantics or syntax (Halfond & Orso, 2005) and behavior of a dynamically generated SQL statement by inserting additional SQL keywords and/or operators into the statement through URL query string or HTML form values, usually with a malicious intent because a web application exists vulnerabilities of execute unsanctioned input (Kar & Panigrahi, 2013). It illustrates SQLIA as Figure 1. A successful SQLIA must meet the indispensable condition that there is vulnerability in web application (Appelt, Nguyen, Briand, & Alshahwan, 2014). Vulnerabilities include loopholes, fault, bugs, weakness or flaw of software system design (Sharma, & Jain, 2014). Some of SQLIA vulnerabilities are caused by syntax constraints of web programming languages, but most of SQLIA vulnerabilities are caused by poor programming/coding practice (McClure, & Kruger, 2005), i.e., without type checking (Joosten, & Joosten, 2015), improper validation of user input (Srivastava, 2014), data and control structures mixed together in same transporting channel (Jun & Jun, 2011), detailed error messages feedback (Smith, Williams, & Austin, 2010) and over privilege accounts. Vulnerabilities of SQLIA are the root cause of SQL queries that have not been validated before the executions, no matter which data input for these SQL queries come from user input or back-end database of web application. User input includes all forms that web users submit, or contents in Uniform Resource Locator (URL) of website or all data have been saved in HTTP cookie.