I. Introduction

Most of the day to day transactions these days happen online through web applications for example e-shopping, online bank transactions, reservations etc. All the user information and all the transaction information that is provided in these sites is retrieved and stored in the database. But the database where this information is stored is highly prone to SQL injection attacks. SQL injection attack is where the attacker inserts malicious SQL statements which could give him access to the database or the information stored in the database or harm the web application or the web application users' privacy. SQL injection attack is one of the most common and prevalent database attacks. By exploiting the vulnerability of web application and database the attacker can get unauthorized access to the database and the web application and cause much harm. In this paper an attempt is made to develop a working model for testing and preventing the SQL injection attacks. The security of the web application and the databases used in a web application is of major concern these days. The risks of attacks in these are on the increase due to a large number of web applications, web application users and sloppy security mechanisms. SQL injection attacks can be performed in many ways like modifying the data, query manipulation, data extraction etc. The SQL attacker can inject a where condition in the SQL query that always evaluates to true. This can be used to bypass authentication, extract information etc. This type of attack is called a tautology. If the attacker tries to execute remote commands on the database to perform denial of services then it's the stored procedure attack. The attacker can also use piggy backing in which he tries to append the original query with addition SQL queries to extract information or bypass access controls [1].