Evaluating Input Validation Techniques For SQL Injection Defense

Abstract

This study compares four SQL Injection defense techniques: input normalization, blacklist and whitelist filtering, and FSM-based context validation. Experiments using identical attack payloads show that normalization improves overall filtering accuracy, while blacklist filtering is simple to implement but vulnerable to evasion. In contrast, whitelist and FSM-based methods provide strong defensive performance but require greater implementation effort and maintenance. Overall, no single technique is sufficient on its own; instead, a multi-layered defense strategy that integrates normalization, filtering, and context validation is shown to be the most effective approach.