Results 1 to 12 of 12
-
10-22-2009, 08:46 AM #1Web Hosting Evangelist
- Join Date
- Apr 2005
- Posts
- 537
Easy Way to check for sql injection?
hello,
ive got a site with quite a high number of pages and sql commands and im wondering if theirs an easy way to scan my code for potentional sql injection faults rather than havignto go via every page
-
10-22-2009, 01:09 PM #2Web Hosting Master
- Join Date
- May 2009
- Posts
- 766
Probably not, but it might help to know what language you're using and what db routines you're using
-
10-22-2009, 01:40 PM #3Web Hosting Evangelist
- Join Date
- Apr 2005
- Posts
- 537
Usings php/mysql
-
10-22-2009, 01:55 PM #4Web Hosting Master
- Join Date
- Apr 2009
- Location
- Pittsburgh, Pennsylvania
- Posts
- 583
Is everything being properly escaped?
-
10-22-2009, 10:15 PM #5Web Hosting Master
- Join Date
- Feb 2006
- Location
- Buffalo, NY
- Posts
- 1,501
Use / make a database class that does the filtering for you.. then utilize that class in your application.
End result: no SQL injections█ Cody R.
█ Hawk Host Inc. Proudly Serving websites since 2004.
█ Official Let's Encrypt Sponsor
-
10-23-2009, 12:14 AM #6Web Hosting Evangelist
- Join Date
- Nov 2003
- Location
- Marylebone, London, UK
- Posts
- 530
-
10-23-2009, 11:47 AM #7Web Hosting Master
- Join Date
- May 2009
- Posts
- 766
All valid ideas...however none of them answer the op's orignal question. It would be interesting to see a PHP module that acted like Perl's -T flag: all variables were considered tainted until a validation method had been performed. Imagine if php would automatically trigger an error if you attempted to pass a unchecked var into mysql_query, system or exec...
Alternatively, you could write a routine that first recognizes all variables being passed into mysql_query and then checks to make sure they've been put through mysql_real_escape_string before the db call.
-
10-23-2009, 11:57 AM #8Web Hosting Master
- Join Date
- Feb 2006
- Location
- Buffalo, NY
- Posts
- 1,501
-
10-23-2009, 01:54 PM #9Web Hosting Master
- Join Date
- May 2009
- Posts
- 766
If I expand your opinion to its extreme conclusion, there would be no need for even a syntax check flag on the CLI binary.
Back in my Perl days, I would add -Tw and CGI::Carp qw/fatalsToBrowser/ to every script during development. Once I was satisfied that all of my inputs were being sufficiently cleaned, I would remove all that before putting it into production. To me, it serves the following purposes:
- It is invaluable for teaching people new to scripting how to really lock down your code.
- For seasoned vets, input sanitization is either completely natural or already handled by your Framework. Still, we make mistakes and it's nice to have the interpreter slap us on the wrist when something gets overlooked.
As far as best practice is concerned, I agree that using/writing a DB class/Framework is the way to go. The reality of the matter is that PHP is a beginner's language, and it would be very nice to see a module that performed sanity checks on your code.
-
10-25-2009, 01:23 AM #10Newbie
- Join Date
- Oct 2009
- Location
- Pearland, TX
- Posts
- 15
There are some character sequencies that are notorious to SQL injection.
'' the double dash for commenting ext. Its best to scrub your data on the global ASAX level ( asp.net ) looking for certain patterns. Then blacklist any IPs that try something funny.
-
10-25-2009, 04:22 AM #11DigitalPunchCardMaker
- Join Date
- Oct 2004
- Location
- Moji
- Posts
- 2,107
To be on the safe side, I would check each and every page.
Also using prepared statements (check PDO extension of PHP) will save you a lot of headaches.
-
10-25-2009, 10:45 AM #12Web Hosting Evangelist
- Join Date
- Apr 2005
- Posts
- 537
looks like im going to have to do it by hand then , was hoping for a temoray way of logging the sql injections so i could narrow down the pages causing it.
Similar Threads
-
Check forms for email and sql injection
By Jatinder in forum Hosting Security and TechnologyReplies: 0Last Post: 09-12-2006, 02:57 AM -
EASY CASH!! Need to hire some for adding products to oscommerce!! Easy but alot work
By ebizcraftsman in forum Employment / Job OffersReplies: 9Last Post: 12-11-2004, 11:22 PM -
Amazon.com - Easy way to check shipping?
By RDX1 in forum Web Hosting LoungeReplies: 2Last Post: 05-06-2003, 05:14 AM