Security Basics mailing list archives
Re: Test for SQL Injection
From: "Michael Condon" <admin () singulartechnologysolutions com>
Date: Tue, 4 Nov 2008 19:04:01 -0600
Thanks for the input - I was using some effective server side field validation, but am adding mysql_real_escape_string (I think this replaces mysql_escape_string) will help as well - kind of like a belt and suspenders. Where are some other resources for safe/best coding practices in other languages - ASP, etc.? ----- Original Message ----- From: "Jon Herron" <leftturnsolutions () yahoo com> To: "Michael Condon" <admin () singulartechnologysolutions com>; <security-basics () securityfocus com>
Sent: Monday, October 27, 2008 9:54 AM Subject: Re: Test for SQL Injection
As far as coding conventions go - if using a database that supports stored procedures, they help a lot toward avoiding sql injection attacks. Beyond that, mysql has a mysql_escape_string function that can be used to escape input parameters for use in a sql query. If you can use mysqli (php), bind parameters are offered which are nice as well. Very basic rule of thumb is don't put in input param, either it be from GET, POST, etc directly into a sql query without cleansing it first. Thanks, Jon Herron ----- Original Message ----From: Michael Condon <admin () singulartechnologysolutions com> To: security-basics () securityfocus com Sent: Sunday, October 26, 2008 2:59:08 PM Subject: Test for SQL Injection What are some open source utilities I can use to test a web page for SQL Injection vulnerability (MySQL), and what coding practices can be implemented to prevent the exploit?
Current thread:
- Re: Test for SQL Injection Michael Condon (Nov 05)
- <Possible follow-ups>
- Re: Test for SQL Injection Taras P. Ivashchenko (Nov 05)
- Re: Test for SQL Injection Michael Condon (Nov 06)
- RE: Test for SQL Injection David Crandell (Nov 06)
- RE: Test for SQL Injection Rui Pereira (WCG) (Nov 06)
- RE: Test for SQL Injection Robertson, Seth (JSC-IM) (Nov 06)