RE: Test for SQL Injection

["David Crandell" <david () onholdwizard com>]

HP Scrawlr is actually free... it's not as in-depth as some of the tools
others have recommended but it works nicely.

https://h30406.www3.hp.com/campaigns/2008/wwcampaign/1-57C4K/index.php?mcc=D
NXA&jumpid=in_r11374_us/en/large/tsg/w1_0908_scrawlr_redirect/mcc_DNXA

BR,

Dave Crandell

Vice President, Information Systems

On Hold Media Group

972-758-1300

david () onholdwizard com

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Michael Condon
Sent: Thursday, November 06, 2008 11:23 AM
To: David Crandell; security-basics () securityfocus com
Subject: Re: Test for SQL Injection

I imagine that HP Scrawlr is a bit pricey.
If JavaScript is required to enable the Submit button on an HTML form, is 
there a way to circumvent this?
I do have two layers of server side protection from SQL Injection as well.
----- Original Message ----- 
From: "David Crandell" <david () onholdwizard com>
To: "'Michael Condon'" <admin () singulartechnologysolutions com>; 
<security-basics () securityfocus com>
Sent: Monday, October 27, 2008 10:37 AM
Subject: RE: Test for SQL Injection


> I have used HP's scrawlr.
>
> To prevent attacks, validate input in your forms (server-side, not just 
> with
> javascript) and make sure any querystring parameters are filtered or
> validated with server-side code before they are passed to the database.
>
> Dave Crandell
> Vice President, Information Systems
> On Hold Media Group
> 972-758-1300
> david () onholdwizard com
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] 
> On
> Behalf Of Michael Condon
> Sent: Sunday, October 26, 2008 1:59 PM
> To: security-basics () securityfocus com
> Subject: Test for SQL Injection
>
> What are some open source utilities I can use to test a web page for SQL
> Injection vulnerability (MySQL), and what coding practices can be
> implemented to prevent the exploit?