Structured query language injection (SQLi) is still one of the most critical risks to web application security, as it allows attackers to interfere with sensitive data and even a complete database infrastructure. Although many automated tools are available, previous studies usually achieve only descriptive briefs, which do not offer empirical assessments that measure the performance and the usability. This research fills this void by a systematic five-stage experimental analysis of the Havij automated SQLi tool under a controlled and ethical test setup. Confirmation of vulnerability, automated exploitation, data extraction and benchmarking of performance were performed as the methodology, and the results were compared against the industry standard SQLmap tool. It was found that in less than a minute Havij was able to locate the target database, scan its structure, and steal authentication credentials, which is quite efficient and user-friendly. In contrast to the literature, our work presents not only quantitative measures (time-to-exploit, request volume, and success rate) but also a qualitative evaluation (user accessibility and limitations), which gives a comprehensive evaluation. The results highlight trade-offs between the depth and accessibility, the continued dangers of SQLi in practice, and provide recommendations that developers and security experts can implement.

Havij; Structured query language injection; Structured query language injection tools; Web application; Website vulnerabilities