SQL Injection Verification Request to the Application

Black List Verification (Web Application Firewall)

validating input against a list of all possible characters and their associated encodings that could be used
maliciously, and to reject such input. For example if one of the input field value is 1' OR '1'='1, application
throws banner and would not process request. This list is DB seed script based and can be updated anytime
without restarting of Web Server. New/Updated values are effected to next request. If some input value pass
this list, in the database modification layer input is sanitized. By Appending black list SQL Threat can be
mitigated.

Request to the Application

Data Validation (White List)

Validating input against list of
all possible characters that should be allowed for a given input, and to deny anything else. This
is specified in validation.xml in our applications. No modification to this layer for SQL injection
Application

mitigation

Business Validation
(No Modification to this layer)

Database Modification
Data is sanitized before it is presented to Database. All the single quotes are replaced by two
single quotes removing threat of SQL Injection