Injection Attacks exploit vulnerabilities of Web pages by inserting and executing malicious code (e.g., database query, Javascript functions) in unsuspecting users' computing environment or on a Web server. Such attacks compromise users' information and system resources, and pose a serious threat to personal and business assets. Methods have been devised to counter attacks and/or detect vulnerabilities to injection attacks in queries and/or in application source code. We define a classification for these query and application level methods and use this to classify a representative body of works that address injection attacks. We investigate and develop a framework where queries and vulnerable fragments of applications (written in query and application languages) are identified and analyzed offline (statically), and at runtime the vulnerable fragments are monitored to detect possible injection attacks. At its core, our framework leverages model checking, program analysis and concolic testing. Results show the effectiveness of our framework compared to the existing ones in three dimensions: first, our framework can detect vulnerabilities that go undetected when existing methods are used; second, our framework makes offline analysis of applications time efficient; and finally, our framework reduces the runtime monitoring overhead by focusing only on query conditions and application fragments that are vulnerable to injection attacks.