hello,
ive got a site with quite a high number of pages and sql commands and im wondering if theirs an easy way to scan my code for potentional sql injection faults rather than havignto go via every page

Probably not, but it might help to know what language you're using and what db routines you're using

Usings php/mysql

Is everything being properly escaped?

Use / make a database class that does the filtering for you.. then utilize that class in your application.

End result: no SQL injections

Any php page where you're only querying db, use a mysql user to connect who only has SELECT privilege. (In addition to the usual security mentioned above of course).

All valid ideas...however none of them answer the op's orignal question. It would be interesting to see a PHP module that acted like Perl's -T flag: all variables were considered tainted until a validation method had been performed. Imagine if php would automatically trigger an error if you attempted to pass a unchecked var into mysql_query, system or exec...

Alternatively, you could write a routine that first recognizes all variables being passed into mysql_query and then checks to make sure they've been put through mysql_real_escape_string before the db call.

All valid ideas...however none of them answer the op's orignal question. It would be interesting to see a PHP module that acted like Perl's -T flag: all variables were considered tainted until a validation method had been performed. Imagine if php would automatically trigger an error if you attempted to pass a unchecked var into mysql_query, system or exec...

Alternatively, you could write a routine that first recognizes all variables being passed into mysql_query and then checks to make sure they've been put through mysql_real_escape_string before the db call.

In my opinion that's no the job of the language - though it may be handy.

In my opinion that's no the job of the language - though it may be handy.

If I expand your opinion to its extreme conclusion, there would be no need for even a syntax check flag on the CLI binary.

Back in my Perl days, I would add -Tw and CGI::Carp qw/fatalsToBrowser/ to every script during development. Once I was satisfied that all of my inputs were being sufficiently cleaned, I would remove all that before putting it into production. To me, it serves the following purposes:



It is invaluable for teaching people new to scripting how to really lock down your code.
For seasoned vets, input sanitization is either completely natural or already handled by your Framework. Still, we make mistakes and it's nice to have the interpreter slap us on the wrist when something gets overlooked.

As far as best practice is concerned, I agree that using/writing a DB class/Framework is the way to go. The reality of the matter is that PHP is a beginner's language, and it would be very nice to see a module that performed sanity checks on your code.

There are some character sequencies that are notorious to SQL injection.
'' the double dash for commenting ext. Its best to scrub your data on the global ASAX level ( asp.net ) looking for certain patterns. Then blacklist any IPs that try something funny.

To be on the safe side, I would check each and every page.
Also using prepared statements (check PDO (http://www.php.net/manual/en/intro.pdo.php) extension of PHP) will save you a lot of headaches.

looks like im going to have to do it by hand then :(, was hoping for a temoray way of logging the sql injections so i could narrow down the pages causing it.