The modern world relies heavily on web applications since they serve as vital tools for executing business operations and delivering government services, and conducting personal activities. Online banking, along with e-commerce and healthcare portals and educational platforms, have become fundamental structures that enable multiple business sectors to work efficiently and manage data and deliver services. Organizations now depend extensively on web-based technologies, prompting a critical need for system protection due to its vital importance [ 1]. The expanding nature of web applications leads to increased attacks that exploit weaknesses to interrupt services while simultaneously stealing sensitive information and damaging organizational credibility [ 2].

The SQLIAs stand as one of the most dangerous and widely used cyber threats among other forms [ 3]. SQLIAs function through invalid field input to embed damaging SQL code that lets attackers avoid security measures and obtain sensitive data while also facilitating database changes and removals. Security professionals face SQLi attacks as a major ongoing threat since web application vulnerabilities lead to them in over 65% of cases [ 4].

Web security enhancement alongside risk mitigation depends heavily on successful research into SQLi attack detection. The detection capability of traditional input validation combined with signature-based systems fails to detect modern or advanced variations of SQLIAs [ 5]. Web application security enhancement demands a proper detection system for SQLIAs. Most modern injection techniques remain undetected by traditional protection measures, which combine input validation and static rule enforcement.

The detection accuracy, along with false positive reduction, has motivated researchers to adopt ML and DL models due to their adaptive and intelligent features [ 6]. The combination of supervised machine and DL models can become a successful method for efficient SQLi attack detection in web security systems [ 7]. The system uses learned models to extract knowledge from past SQL query data, which includes harmless as well as harmful requests, enabling automatic detection of potential threats during real-time processing.

The security threat from SQLi bypasses conventional detection techniques while maintaining its importance as a critical web application vulnerability. Current rule-based detection systems experience difficulties when trying to identify complicated and emerging SQLi attack forms. Detecting of diverse SQLi attacks in real-time requires new technology because existing systems lack smart enough detection capabilities. The research introduces a complete structure for SQLi attack detection through DL methodology. The key contributions are as follows:

Utilized a Kaggle SQLi dataset with over 30,000 SQL queries, including ~6,000 malicious entries across multiple SQLi types.

Applied comprehensive preprocessing, duplicate removal, missing value handling, tokenization, encoding, and normalization.

Performed feature selection using G-test scoring to enhance classification accuracy.

Developed a GRU-based DL model for sequential analysis of SQL queries.

Utilizing the disorientation matrix's accuracy, precision, f1-score, and recall, evaluate the model's efficiency.

The remainder of the document is structured. Section II provides a background study on the Detection of SQLi Attacks. In Section III, the methodology that proposed in detailed. In Section V, the outcomes, analysis, and discussion are compared. Section V presents the study's conclusion and plans for further research.

A few significant studies that are connected to the Detection of SQLIAs for Enhancing Web Security are examined and filtered in order to carry out the present task.Table I provides a concise comparison of key research works on SQLi detection using ML, highlighting proposed methods, datasets used, key findings, and identified challenges.

Hasan, Balbahaith and Tarique (2019) developed a heuristic technique built around ML to stop SQLi attacks. It trains and evaluates 23 distinct ML classifications using a dataset of 616 SQL expressions. It builds a top five classifiers served as the foundation for the Graphical User Interface (GUI) application amongst the ones mentioned above, chosen for their identification accuracy. The results of testing the suggested technique demonstrate that it can recognize SQLIAs with a from head to foot grade of accuracy (93.8%) [ 8].

Noor et al. (2019) Based on documented attack patterns, a new ML-based approach is suggested to identify cyber risks. To create threats and TTPs obtained from reliable sources in a semantic network of malware with related detection methods. The system is trained on a dataset of TTP taxonomies and threat artefacts. Its performance is evaluated using threat notifications. Despite the implementation of fictitious and missing TTPs, the system remains in place and effectively detects attacks with a 92% accuracy rate and few FP. On average, an internet connection trained with 133 TTPs from 45 security domains detects data breaches in 0.15 seconds [ 9].

Zhang (2019) introduces an ML classifier intended to find PHP code that has SQLi vulnerabilities. Using validation of input and sanitization attributes taken from source code files, algorithms for classifiers were trained and evaluated using both traditional and DL-based ML methods. A CNN-trained model had the best accuracy (95.4%) on ten-fold cross-verification, while the Multilayered Perceptron (MLP)-based model had the greatest level of recall (63.7%) and the strongest f parameter (0.746) [ 10].

Ul Islam et al (2019) Create a supervised learning method to identify NoSQL injections. It uses a variety of supervised learning methods and designs key characteristics by hand. Their tool's cross-validation of 10 times yielded an F2-score of 0.93. Additionally, they tested their tool against NoSQL Map, a NoSQLi generating tool, and discovered that its detection percentage is 36.25% higher than that of Screen, which is the sole NoSQL intrusion identification tool currently on the market [ 11].

McWhirter et al. (2018) offer a unique way to categorize queries made with SQL based just on the original query string's properties. Several test datasets taken from the Flashback testbed datasets are used to assess the suggested solution. For Select type operations, the demonstrating the applications accuracy was 97.07%, and for Insert type queries, it was 92.48%. This low success rate results from the characteristic process for extraction being confused by unclean quote marks in valid inputs [ 12].

Chattopadhyay et al. (2018) The document investigates obstacles when implementing machine learning methods for attack identification systems. This paper investigates various built-in difficulties related to machine learning techniques for intrusion detection definition and execution methods. Their research evaluates multiple machine learning techniques against different datasets in order to select the optimal solution for changing usage patterns by utilizing diverse performance measurement metrics. The amount of data processed by servers has grown dramatically so their security becomes a top priority [ 13].

Table 1 summarizes various ML-based approaches for SQL injection detection, highlighting methods, datasets, performance metrics, and limitations. While most achieve high accuracy, common challenges include small datasets, limited generalizability, scalability issues, and technology-specific constraints.

The research design SQLi attack detection requires a methodical methodology that includes data collection, the preprocessing phase and model development, and performance evaluation that is illustrated inFigure 1. Initially, the SQLi dataset sourced from Kaggle contains over 30,000 SQL queries. The dataset is rigorously pre-processed, which includes dealing with unavailable values, removing duplicates, tokenization of queries into logical components, numerical encoding, and normalization. Feature extraction is performed using G-test scoring to identify the most discriminative features relevant for classification. After that, a performance evaluation is carried out by training a GRU model on 80% of the data while testing is done on the remaining 20%. The model's effectiveness is measured using precision, accuracy recall, and F1-score, supported by visualizations like confusion matrix, accuracy and loss curves, highlighting the GRU model’s superior ability to detect SQLi attacks compared to traditional ML models.

Each step of a proposed flowchart for Detection of SQLi Attacks for Enhancing Web Security is provided below:

In this research, it uses the SQLi dataset from Kaggle. Most of the 30,919 query statements from various websites are "SELECT FROM" and similar SQL variations. The three forms of SQLi Union Based, Blunder Based, and Blind SQL Injections amount to around 6,000 in this dataset the correlation of data is shown inFigure 2.

Figure 2 illustrates the correlations between various SQL query features using a color gradient from blue (negative) to red (positive). It highlights relationships among attributes like query length, SQL keywords, special characters, and logical operators. Diagonal values show perfect self-correlation, while off-diagonal elements reveal feature interdependencies. This visualization aids in understanding which characteristics commonly co-occur, offering insights for query analysis and security detection.

During the data pre-processing step, SQL queries need sequential and numerical inputs to be properly prepared. The data preparation includes multiple steps, which start with tokenization and end with normalization, that ensure effective data structure. This procedure puts emphasis on dependent execution sequences because they enable the recognition of search patterns for SQLi attacks. The data pre-processing protocol includes the following sequential steps:

Handle missing value: The algorithm replaces absent Numeric values by inputting the mean of column statistics to preserve original numerical centralities.

Eliminating duplicate records: To prevent redundancy and overfitting during model training the technician removes duplicate entries from the records.

Tokenization: The tokenization process divides SQL queries into key terms as well as relation operators and literal values and unique symbols. Through tokenization the system learns about typical keyword arrangements and SQL attack-related character sequences because it provides structure to sequence analysis.

Numerical encoding: After tokenization, an embedding layer converts each token into a numerical identity, creating dense vector representations of syntactic and partially semantic relationships.

The G-test is a feature extraction method that evaluates the dependency between categorical features and the target variable. It uses a likelihood ratio to measure how much a feature’s distribution differs across classes, selecting features with high scores for better model performance.

Normalizing data is an essential component of training. There is a significant variation in the range of numerical figures in the collected data. Characteristics with such a wide range of values already have a much bigger impact on the classifier than characteristics with a narrower range of values; hence, a fraction (decimal) part of the information was omitted. Using the normalization Equation (1), it translates a given property to the interval 【0, 1】:

where $x_{min}$ is the lowest of all the original features,$x_{max}$ is the biggest of all the original features, and x is the value before the feature value is processed. The mapping interval's highest and lowest values are denoted by the terms high and low, appropriately

The dataset is separated into two parts of size 80% and 20% for training and testing purposes, respectively.

An LSTM neuronal network's additional time dedicated to training its models yields a more complicated internal structure and challenging parameter adjustment [ 14]. GRU is a condensed form of an LSTM. The GRU model offers comparable prediction accuracy to the LSTM model while requiring fewer hours of training time. GRU reduces the merging of the memory’s module to only two regulating components—the current gate and the reset gate—by combining the input and recollection gates of the LSTM into a single maintenance gate. The portal of updates is shown as $Z_t$, regulates how much information from the previous data state is incorporated into the current state. While the prior neuron handles fewer historical items, higher update gate values give current information precedence over past information. The main function of the apprise gates is to maintain memory and then identify extended patterns that occur in water quality data sequences. The capture process of information through the update gate utilizes the Equation (2) which shows:

The release gate component $R_t$, functions as a pivotal part in determining the amount of stored historical data. The retention of past historical data becomes more effective as reset gate values decrease since this setting helps identify short-term trends in parameterisation data on the condition of water. Equation (3) serves to compute the reset gate information that looks like this:

here $h_t$ represents the unit's emission state at time �� and ${\stackrel{-}{h}}_t$ symbolizes the roundabout municipal value of $h_t$. The current unit data gets stored into this value before transmission but an estimate of the previous output needs calculation using Equation (4).

The projected results for data on water quality parameters appear as Equation (5)

here $X_t\mathrm{ }$denotes the numerical value of the supplied data at this time $t_t$, $h_{t-1}$is the current memory cell's outcome for water's cleanliness characteristic data $t-1$, $W_Z,\mathrm{ }{W}_r,$and $W_{\stackrel{-}{h}}$ indicate the cell's weight matrix, “【】” represents the relationship between two matrices, "∗" stands for the tanh procedure is the divided curves of the registration operation, and the matrix whose result is σ is the participation constant.

The evaluation process for a classification model in ML consists of a confusion matrix, which takesTable table form. It is a matrix that summarizes the class labels for a collection of test data, both real and expected. The quantity of each class's TP, FP, TN, and FN is publicized in the confusion matrix. The amount of accurate predictions for the positive the number of accurate forecasts for the negative class is TN, the number of erroneous predictions for the positive class is FP, the number of incorrect estimations for the negative class is FN, and the class TP. Accuracy, precision, recall, and F1 score are among the assessment metrics that may be calculated using the confusion matrix.

Accuracy: The Measure achieves correct predictions through Accuracy however, this method works less effectively when dealing with unbalanced datasets. It is given as Equation (6).

Precision: The focus of precision rests in determining accurate positive predictions to reduce false positives. The precision ratio measures positively predicted instances compared to all predicted instances for decision-making validity. It is expressed as Equation (7).

Recall: Model recall represents the ability to detect all positive cases effectively and avoid false negative errors. The mathematical expression of recall appears as Equation (8).

F1 score: F1-score determines evaluation control by combining precision and recall measurement to achieve class balance especially when dealing with imbalanced datasets. Mathematically, it is given as Equation (9).

The combined effect of these metrics reveals how accurate and effective the model proves to be for target variable predictions.

A combination of these evaluation metrics helps determine both the accuracy and effectiveness of target prediction by the model. A multithreaded computer system enabled the execution using its Intel Core i7 CPU operating at 3.4 GHz in combination with an NVIDIA Geforce GTX 980M GPU having 8 GB of RAM and additional system components. The evaluation metrics performance of the proposed GRU model can be found inTable 2. The model demonstrated 96.65% accuracy, which proves its ability to detect predictions with high precision. The model exhibits precision at 97%, which demonstrates its capacity to detect genuine positives with low false alarm rates, and a recall of 92.5% proves its achievement of identifying most actual SQLi instances. The F1-score level of 94% demonstrates that the GRU model maintains proper precision-recall balance when detecting SQLi attack set variables, thus establishing its reliable and robust nature.

Table 2 shows the training accuracy (red dashed line with circles) and validation accuracy (green solid line with circles) over 20 epochs. The training accuracy generally fluctuates between approximately 0.97 and 0.99, showing an overall high performance on the training data. The authentication accuracy, representing the representation's performance on unseen data, varies between roughly 0.96 and 0.98, indicating good generalization with some fluctuations across epochs. Notably, there isn't a significant and consistent disparity between validation accuracy and training outcomes, indicating that the training data is not being overfitted by the model.

Figure 3 shows the training loss (blue dashed line with circles) and validation loss (purple solid line with circles) over 20 epochs. Both training and validation loss generally range roughly between 0.05 and 0.11, suggesting that the model is learning and that the error is becoming less with time. But the loss of validity exhibits more variability and, at times, spikes higher than the training loss, suggesting that when compared to training data, the arrangement of concepts performs less reliably when dealing with uncertain data.

Figure 4 presents the GRU algorithm's confusion matrix. cataloguing presentation, with 2 classes, malicious and benign. The matrix indicates 667 TN and 300 true positives, showing the model accurately identified both benign and malicious cases. Misclassifications were minimal, with only 10 FP and 23 FN, demonstrating the GRU model’s strong classification capability. The model performs slightly better at identifying benign instances but overall shows balanced and effective detection across both classes.

Here, the experimental results are compared between ML and DL models (seeTable 3) for detecting SQLi attacks. The GRU model delivered 96.65% accuracy which surpassed all other traditional ML-based models. The SVM scored 91% accuracy with KNN at 87.6%. SQLi attack detection operates more efficiently with GRU models because they successfully capture sophisticated temporal data patterns better than traditional ML solutions.

The proposed model using GRU technology provides multiple benefits for SQLi detection by understanding sequential SQL query dependencies, which results in better accuracy rates. Traditional ML models differ from the GRU network because it maintains effective processing of inputs with different lengths and learns complete context for better accuracy measurements. The model effectively detects benign from malicious queries through its 96.65% accuracy rate accompanied by 94% F1-score measurement. The model shows excellent generalization to unknown data through its minimal overfitting behavior and steady validation results which makes it a dependable solution for real-time web application security operations.

Security exploits escalate because of growing Information Technology application usage within distributed environments. The primary goal of SQLi attacks is database theft from back-end server organizations by penetrating their customer database systems. The accuracy of the suggested GRU-based DL framework in detecting SQLi assaults is high, achieving 96.65% with 97% precision, 92.5% recall, and 94% F1-score. When it comes to identifying sequential patterns in SQL queries, the suggested model outperforms SVM (91%), and KNN (87.6%) in conventional machine learning models. One considerable drawback of the model comes from its dependence on fixed labeled data records that cannot capture potential changes or camouflage within SQLi assaults.

The field requires immediate attention on these identified deficiencies. Research efforts should concentrate on acquiring extensive datasets that present integrated SQL and NoSQL attack types. The development of attack-resistant models needs equal importance together with their ability to adapt through diverse attack vector evolution. Deep learning and transfer learning approaches should be studied to automate feature extraction because they would make the process less dependent on domain expertise. Practical deployment needs the integration of ML-based tools into real-time security frameworks with low latency performance and high scalability.