SQL injection attacks (SQLIAs), one of the most foremost threats to Web applications is an attacking technique in which specially crafted input string result in illegal queries to a database. An SQL injection attack target interactive Web applications that employ database services. In this paper, we propose SQLDefend as a technique to detect and prevent SQLIAs. Our approach provides a full automated model. This model combines parser and decision tree. It is an algorithm that models string values using Context Free Grammars (CFGs) and then use decision tree to train the user input. We use parse tree validations to input strings. First the technique checks if the two queries match syntactically and then use rule-based decision tree classifier to classify user input. If the result meets the condition defined, then the query will be considered legitimate and thus accepted otherwise it will be rejected. Our result clearly shows no false positives and false negatives. The result also shows a lower runtime overhead in execution time and CPU usage. The technique is thus effective in preventing SQLIAs.

Key words: SQL Injection, Vulnerability, SQLDefend, Web Applications, Attacks