Automata-Based Model for SQL Injection Pattern Recognition

SQL injection remains one of the most critical web application vulnerabilities, often used to bypass authentication and extract sensitive data. While many modern detection systems rely on machine learning or pattern matching, this study revisits classical computational models for recognizing interpretable SQLi patterns. Specifically, three automata-Deterministic Finite Automaton (DFA), Pushdown Automaton (PDA), and Turing Machine (TM)-are manually constructed to detect both a classic login bypass and a UNIONbased SQL injection pattern. A set of 40 handcrafted inputs was used to evaluate their pattern recognition capabilities. DFA effectively handles simple input sequences but fails with nested or logic-based constructs. PDA improves detection through stack-based handling of structured patterns, while TM provides the most comprehensive recognition by simulating conditional logic and multi-clause sequences. TM achieved 100% accuracy with no false negatives in complex cases, outperforming DFA and PDA. Although not deployable, these models highlight the pedagogical and conceptual utility of formal language theory in modeling and understanding injection attacks.