On automated prepared statement generation to remove SQL injection vulnerabilities

0950-5849/$ see front matter 2008 Elsevier B.V. A doi:10.1016/j.infsof.2008.08.002 * Corresponding author. Tel.: +1 919 513 4151. E-mail addresses: [email protected] ncsu.edu (L. Williams), [email protected] (T. Xie). Since 2002, over 10% of total cyber vulnerabilities were SQL injection vulnerabilities (SQLIVs). This paper presents an algorithm of prepared statement replacement for removing SQLIVs by replacing SQL statements with prepared statements. Prepared statements have a static structure, which prevents SQL injection attacks from changing the logical structure of a prepared statement. We created a prepared statement replacement algorithm and a corresponding tool for automated fix generation. We conducted four case studies of open source projects to evaluate the capability of the algorithm and its automation. The empirical results show that prepared statement code correctly replaced 94% of the SQLIVs in these projects. 2008 Elsevier B.V. All rights reserved.