To improve the security of web applications, I developed techniques to detect and prevent SQL Injection Attacks (SQLIA). This type of attack exploits a web application's vulnerable input fields so that an attacker's commands are executed by an application's underlying database. The first technique that I developed, amnesia, uses static analysis to model the possible legal SQL queries that a web application can generate and then monitors the application at run-time to ensure that each executed query matches the model. The empirical evaluation of amnesia showed that it is a highly effective technique for preventing SQLIAs. However, the analysis does not scale well for large web applications and it is difficult to precisely model all possible database queries. I developed a new technique, wasp, that does not have these limitations. This technique uses positive tainting that tracks "trusted" strings in an application and performs a syntax-aware evaluation on each database query before it is executed to ensure that only trusted strings are used to form sensitive parts of a query, such as keywords and operators. Both the positive tainting and syntax-aware evaluation can be customizable with developer-provided specifications, which makes the approach widely applicable. In the empirical evaluation of this technique, I evaluated wasp on a set of ten web application and with over 24,000 attacks and legitimate accesses. wasp was able to stop all of the attacks without generating any false positives.