A Cryptography-Enforced SQL Query Integrity Framework for Complete SQL Injection Prevention

Abstract— SQL injection (SQLi) remains one of the most critical security threats to database-driven web applications, despite the widespread adoption of input sanitization, prepared statements, and detection-based defenses. Existing solutions primarily rely on syntactic validation, heuristic analysis, or probabilistic detection, which leaves residual vulnerabilities such as second-order injection, parameter tampering, and encoding-based evasion. In this paper, we propose C-QIPE, a Cryptographic Query Integrity and Prevention Engine that enforces deterministic SQLi prevention through cryptographic verification. The proposed framework binds SQL query templates, runtime parameters, and execution context using secure hash functions and message authentication codes, ensuring that only pre-registered and cryptographically validated query structures are executed by the database engine. Any deviation in query structure, parameter ordering, or values results in verification failure and query rejection prior to execution. Unlike detection-oriented approaches, C-QIPE does not rely on pattern matching, learning models, or runtime anomaly detection, thereby eliminating false negatives by design. We formally define the adversary model, analyze the security properties of the framework, and evaluate its effectiveness against classical, advanced, and second-order SQLi attacks. Experimental results demonstrate complete prevention with minimal runtime overhead, confirming the practicality of cryptographic query integrity enforcement in security-critical applications. Keywords— Cryptographic Query Integrity, Database Security, Secure SQL Execution, SQL Injection Prevention, Web Application Security