On automated prepared statement generation to remove SQL injection vulnerabilities

Stephen Thomas, Laurie Williams, Tao Xie

Research output: Contribution to journalArticlepeer-review


Since 2002, over 10% of total cyber vulnerabilities were SQL injection vulnerabilities (SQLIVs). This paper presents an algorithm of prepared statement replacement for removing SQLIVs by replacing SQL statements with prepared statements. Prepared statements have a static structure, which prevents SQL injection attacks from changing the logical structure of a prepared statement. We created a prepared statement replacement algorithm and a corresponding tool for automated fix generation. We conducted four case studies of open source projects to evaluate the capability of the algorithm and its automation. The empirical results show that prepared statement code correctly replaced 94% of the SQLIVs in these projects.

Original languageEnglish (US)
Pages (from-to)589-598
Number of pages10
JournalInformation and Software Technology
Issue number3
StatePublished - Mar 2009
Externally publishedYes


  • Fix automation
  • Prepared statement
  • SQL injection

ASJC Scopus subject areas

  • Software
  • Information Systems
  • Computer Science Applications


Dive into the research topics of 'On automated prepared statement generation to remove SQL injection vulnerabilities'. Together they form a unique fingerprint.

Cite this