DESIGN AND IMPLEMENTATION OF A VULNERABLE WEB APPLICATION FOR SQL INJECTION ATTACK DEMONSTRATION AND PREVENTION

Abstract

Web applications play a vital role in modern
digital environments by providing users with
access to various online services such as e
commerce, banking, soc ial networking, and
information management systems. These
applications interact with databases to store
and retrieve important data, including user
credentials and personal information.
However, if web applications are developed
without proper security mea sures, they become
vulnerable to cyber attacks. One of the most
common and critical vulnerabilities affecting
web applications is SQL Injection.
SQL Injection is a type of cyber attack in
which malicious SQL commands are inserted
into i nput fields such as login forms or search
boxes. When an application fails to properly
validate or sanitize user inputs, the attacker’s
input becomes part of the SQL query executed
by the database. This allows attackers to
manipulate database queries to by pass
authentication mechanisms, retrieve sensitive
information, modify records, or even delete
entire databases. Because of its severe impact
on application security, SQL Injection is
considered one of the most dangerous web
vulnerabilities and is included in the OWASP
Top 10 web application security risks. The
main objective of this project is to design and
implement a vulnerable web application that
demonstrates how SQL Injection attacks occur
and how they can be prevented using secure
coding techniques. The application includes a
login interface where users enter their
username and password to access the system.
In the initial implementation, the application is
intentionally designed with insecure SQL
queries that directly concatenate user inp ut
with SQL statements. This allows attackers to
manipulate the query logic and bypass
authentication using SQL Injection
techniques.After demonstrating the
vulnerability, the project implements a secure
solution to prevent SQL Injection attacks.The
preven tion mechanism uses parameterized
queries through Prepared Statement, which
separates SQL commands from user input. By
treating user input as data rather than
executable code, this method effectively
prevents SQL Injection attacks and enhances
the security of the application. The system is
developed using HTML and CSS for the
frontend user interface, Spring Boot for
backend application logic, and MySQL as the
database management system. The project
provides a practical understanding of SQL
Injection vulnera bilities and highlights the
importance of secure coding practices in
webapplication development. Through this
implementation, developers and students can
better understand how web application
vulnerabilities arise and how thy can be
mitigated using proper security techniques