E. Mohamed. Safwat 57 AN EFFICIENT TECHNIQUE FOR SQL INJECTION DETECTION AND PREVENTION Esraa Mohamed Safwat Computer science Department Faculty of computer and information Menoufyia University Esraa_safwat87@yahoo.com Hany Mahgoub Computer science Department Faculty of computer and information Menoufyia University H_mghguob@yahoo.com ASHRAF EL-SISI, Computer science Department Faculty of computer and information Menoufyia University ashrafelsisim@yahoo.com Arabi Keshk Computer science Department Faculty of computer and information Menoufyia University arabikeshk@yahoo.com Abstract: With the recent rapid increase of interactive web applications that employ back-end database services, a SQL injection attack has become one of the most serious security threats. This type of attack can compromise confidentiality and integrity of information and database. Actually, an attacker intrudes to the web application database and consequently, access to data. For preventing this type of attack different techniques have been proposed by researchers but they are not enough because most of implemented techniques cannot stop all type of attacks. In this paper our proposed technique are detection of SQL injection and prevention based on first order, second order and blind SQL injection attacks online. The proposed technique implemented in JAVA and evaluated for seven types of SQL injection attacks. Experimental results have shown that the proposed technique is efficient related to execution time overhead. Our technique need to be one second overhead to execution time. Moreover, we have compared the proposed technique with the popular web application vulnerabilities scanner techniques. The most advantages of proposed technique Its easiness to adopt by software developer, having the same syntactic structure as current popular record set retrieval methods. Keywords: - Web application, Database SQL Injection Attack, detection, prevention 1. Introduction Web sites are dynamic, static, and most of the time a combination of both. Web sites need protection in their database to assure security. An SQL injection attacks interactive web applications that provide database services. These applications take user inputs and use them to create a SQL query at run time. In an SQL injection attack, an attacker might insert a malicious SQL query as input to perform an unauthorized database operation. Using SQL injection attacks, an attacker can retrieve or modify confidential and sensitive information from the database. The popular solutions for the prevention of SQL injection attacks include coding best practices, input filtering, escaping user input, usage of parameterized queries, implementation of least privilege, white list input validation [2,3,4], These solutions should be employed usually during the development of an application. This is the major limitation of such solutions as they do not cover the millions of Web applications already deployed with this vulnerability. Detection of SQL injection and prevention technique is proposed based first order, second order and blind SQL injection attacks online. SQL injection detection and prevention (SQLI-