Re: Test for SQL Injection

["Michael Condon" <admin () singulartechnologysolutions com>]

Thanks for the input - I was using some effective server side field 
validation, but am adding mysql_real_escape_string (I think this replaces 
mysql_escape_string) will help as well - kind of like a belt and suspenders.
Where are some other resources for safe/best coding practices in other 
languages - ASP, etc.?
----- Original Message ----- 
From: "Jon Herron" <leftturnsolutions () yahoo com>
To: "Michael Condon" <admin () singulartechnologysolutions com>; 
<security-basics () securityfocus com>
Sent: Monday, October 27, 2008 9:54 AM
Subject: Re: Test for SQL Injection


> As far as coding conventions go - if using a database that supports
> stored procedures, they help a lot toward avoiding sql injection
> attacks.  Beyond that, mysql has a mysql_escape_string function that
> can be used to escape input parameters for use in a sql query.  If you
> can use mysqli (php), bind parameters are offered which are nice as
> well.  Very basic rule of thumb is don't put in input param, either it
> be from GET, POST, etc directly into a sql query without cleansing it
> first.
>
>
> Thanks,
>
>
> Jon Herron
>
>
>
> ----- Original Message ----
> > From: Michael Condon <admin () singulartechnologysolutions com>
> > To: security-basics () securityfocus com
> > Sent: Sunday, October 26, 2008 2:59:08 PM
> > Subject: Test for SQL Injection
> >
> > What are some open source utilities I can use to test a web page for SQL
> > Injection vulnerability (MySQL), and what coding practices can be
> > implemented to prevent the exploit?