In an SQL injection attack, a malicious user of a web application gives input in a web form field that includes syntactic content (executable code) that changes the structure of the query from what the programmer originally intended, and returns data that should have been protected. The goal of this project was to examine whether commonly used web application frameworks can be an effective way to create web applications that are free from SQL injection vulnerabilities. Through careful analysis of the database access methods, this project compares the different web application frameworks and points out the need for caution in the use of particular methods. This work shows that it is not enough to choose the most popular framework among developers in a particular language and assume that the framework's data access methods are sufficiently safe from SQL injection vulnerabilities. |