Call for Paper - January 2024 Edition
IJCA solicits original research papers for the January 2024 Edition. Last date of manuscript submission is December 20, 2023. Read More

A Survey on Detection and Prevention of SQL and NoSQL Injection Attack on Server-side Applications

International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Year of Publication: 2021
Mehjabeen Shachi, Nurnaby Siddiqui Shourav, Abu Syeed Sajid Ahmed, Afsana Afrin Brishty, Nazmus Sakib

Mehjabeen Shachi, Nurnaby Siddiqui Shourav, Abu Syeed Sajid Ahmed, Afsana Afrin Brishty and Nazmus Sakib. A Survey on Detection and Prevention of SQL and NoSQL Injection Attack on Server-side Applications. International Journal of Computer Applications 183(10):1-7, June 2021. BibTeX

	author = {Mehjabeen Shachi and Nurnaby Siddiqui Shourav and Abu Syeed Sajid Ahmed and Afsana Afrin Brishty and Nazmus Sakib},
	title = {A Survey on Detection and Prevention of SQL and NoSQL Injection Attack on Server-side Applications},
	journal = {International Journal of Computer Applications},
	issue_date = {June 2021},
	volume = {183},
	number = {10},
	month = {Jun},
	year = {2021},
	issn = {0975-8887},
	pages = {1-7},
	numpages = {7},
	url = {},
	doi = {10.5120/ijca2021921396},
	publisher = {Foundation of Computer Science (FCS), NY, USA},
	address = {New York, USA}


Attacks concerning data can be considered as an intense security threat. A couple of major cyberattacks on eminent database-driven web applications are SQL and NoSQL injection. Confidential data might be revealed to the hacker if the database is injected with malicious codes. Due to inadequate user input validation SQL injection brings a serious threat to the database by leaking proprietary information. Relational and non relational databases are very much vulnerable to these threats. NoSQL database shows higher performance than SQL database regarding efficient storage criteria and data retrieval time. It is flexible for handling big data and is considered to be more secure. Despite these facts and its growing popularity NoSQL databases are also vulnerable to injection attacks. Because of using a different query language, NoSQL injection is irrelevant to traditional SQL injection. Still, SQL and NoSQL injections are quite similar in this sense that both of the attacks rely on suspicious input execution on the server. So, it is a critical issue for non-relational databases as well. In this paper, numerous injection attacks are discussed along with detection and the countermeasures against SQL and NoSQL injection.


  1. G. Keizer, “Yahoo fifixes password-pilfering bug, explains who’s at risk,”2012
  2. W. G.J. Halfond, Jeremy Viegas, and Alessandro Orso. A Classification of SQL Injection Attacks and Countermeasures. College of Computing, Georgia Institute of Technology, 2006.
  3. A. Alazab, Moutaz Alazab, Jemal Abawajy, Michael Hobbs. Web Application Protection against SQL Injection Attack. The 7th International Conference on Information Technology and Applications, pp. 1-7, ICITA 2011
  4. Ghafarian, A. A hybrid method for detection and prevention of SQL injection attacks. , 2017 Computing Conference. (2017)
  5. Kim, M.-Y. and Lee, D.H. Data-mining based SQL injection attack detection using internal query trees. , Expert Systems with Applications, 41. (2014) , 5416–5430
  6. Lashkaripour, Z. and Ghaemi Bafghi, A. A security analysis tool for web application reinforcement against SQL injection attacks (SQLIAs). , 2013 10th International ISC Conference on Information Security and Cryptology (ISCISC). (2013).
  7. Shrivastava, G. and Pathak, K. SQL Injection Attacks: Technique and Prevention Mechanism. , International Journal of Computer Applications, 69. (2013) , 35–39
  8. Website. . [Online]. Available: D. Box and A. Hejlsberg. LINQ: .NET Language-Integrated Query. [Accessed: 04-May-2021]
  9. Lee, I. et al. A novel method for SQL injection attack detection based on removing SQL query attribute values. , Mathematical and Computer Modelling, 55. (2012) , 58–68
  10. Alsobhi, H. and Alshareef, R. SQL Injection Countermeasures Methods. , 2020 International Conference on Computing and Information Technology (ICCIT-1441). (2020)
  11. Ron, A. et al. Analysis and Mitigation of NoSQL Injections. , IEEE Security Privacy, 14. (2016) , 30–39
  12. Islam, M.R.U. et al. Automatic Detection of NoSQL Injection Using Supervised Learning. , 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC). (2019)
  13. Abdalla, H.B. et al. NoSQL Injection: Data Security on Web Vulnerability. , International Journal of Security and Its Applications, 10. (2016) , 55–64
  14. Singh, S. Security Analysis of MongoDB.
  15. Palvi Aggarwa and Rinkle Rani, Security Issues and User Authentication in MongoDB,Emerging Research in Computing, INformation, Communication and Applications (2014)
  16. Moore, A.W. and Lee, M.S. Efficient Algorithms for Minimizing Cross Validation Error. , Machine Learning Proceedings 1994. (1994) , 190–198
  17. Ross Quinlan, J. (1993) C4.5: Programs for Machine Learning, Morgan Kaufmann.
  18. Aha, D.W. et al. Instance-based learning algorithms. , Machine Learning, 6. (1991) , 37–66
  19. Jin, C. et al. An improved ID3 decision tree algorithm. , 2009 4th International Conference on Computer Science & Education. (2009)
  20. Hopfield, J.J. Artificial neural networks. , IEEE Circuits and Devices Magazine, 4. (1988) , 3–10
  21. Ho, T.K. Random decision forests. , Proceedings of 3rd International Conference on Document Analysis and Recognition.
  22. Freund, Y. and Schapire, R.E. A desicion-theoretic generalization of on-line learning and an application to boosting. , Lecture Notes in Computer Science. (1995) , 23–37
  23. M., A. et al. NoSQL Racket: A Testing Tool for Detecting NoSQL Injection Attacks inWeb Applications. , International Journal of Advanced Computer Science and Applications, 8. (2017)
  24. Chen, T. and Guestrin, C. XGBoost. , Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. (2016)
  27. Sqreen, “Web application and user protection,”
  28. Joseph, S. and Jevitha, K.P. An Automata Based Approach for the Prevention of NoSQL Injections. , Communications in Computer and Information Science. (2015) , 538–546
  29. Feldthaus, A., Miller, A.: Java String Analyzer.
  30. Hou, B. et al. MongoDB NoSQL Injection Analysis and Detection. , 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud). (2016).


SQL, NoSQL, injection attack, hacker, detection, prevention