How could I test to see if SQL injection doesn't work in a textbox on my site?
2
- You'll have to be much more specific. How are you escaping the text before entering it into the database?Savetheinternet– Savetheinternet2011-01-09 17:57:23 +00:00Commented Jan 9, 2011 at 17:57
- Can you show some internal code? i.e. how the textbox is used? There is no generic way, it depends on the query you're usingPekka– Pekka2011-01-09 17:57:44 +00:00Commented Jan 9, 2011 at 17:57
Add a comment |
5 Answers
Use a mechanism that guarantees it's impossible by design, like bound parameters. Then no testing (for SQL injection resistance) is necessary.
Put another way: don't rely on ad-hoc escaping code; it's very likely you won't get it 100% correct.
answered Jan 9, 2011 at 17:57
Oliver Charlesworth
274k34 gold badges591 silver badges687 bronze badges
4 Comments
Jens Schauder
So how do you test if you succeeded doing so in a non trivial application?
Oliver Charlesworth
@Jens: IMHO, this sort of thing is very difficult to unit-test meaningfully. One could choose to test using a pre-defined list of "typical" attack strings, but that doesn't really prove very much at all. This is really a question of system-level design consistency.
gbn
I agree. You shouldn't need to test. Otherwise all you test is the set of inputs you test with
Oliver Charlesworth
@gbn: To be fair, this is true of all unit tests! But this situation is rather like asking for unit tests for e.g. buffer overflow in a C++ application using the string library, just to prove that no-one's accidentally started using raw
char[] buffers and gets()...you usually have to think how the data from the input field will reach the actual select. Once you know that you try to see what sort of text can you put in that field to terminate a sql statement and start another.
For example, if you have do something like this in code: 'select * from table where id = ' . $_GET['id'] and i call you with script.php?id=0%20OR%20true; drop table table; i can execute two statements.
But in general you should avoid constructing selects by concatenating. Better to use bounded parameters as another responder suggested.
Comments
Just enter this String:
'"; If no escaping is in action, this will break your SQL for sure.
See this site about better Strings and this question for more info.
Comments
You could use this list to create attacks against your code: http://ha.ckers.org/sqlinjection/
You also can assemble a list of 'dangerous' characters and character combinations and create (pseudo)-random input values from it.
Comments
Usual check is to just add all special symbols once in field and see if there is an SQL error. If there is no error and record is correctly inserted into DB - that's fine.
