Security Basics mailing list archives
Re: Test for SQL Injection
From: Jon Herron <leftturnsolutions () yahoo com>
Date: Mon, 27 Oct 2008 08:54:42 -0700 (PDT)
As far as coding conventions go - if using a database that supports stored procedures, they help a lot toward avoiding sql injection attacks. Beyond that, mysql has a mysql_escape_string function that can be used to escape input parameters for use in a sql query. If you can use mysqli (php), bind parameters are offered which are nice as well. Very basic rule of thumb is don't put in input param, either it be from GET, POST, etc directly into a sql query without cleansing it first. Thanks, Jon Herron ----- Original Message ----
From: Michael Condon <admin () singulartechnologysolutions com> To: security-basics () securityfocus com Sent: Sunday, October 26, 2008 2:59:08 PM Subject: Test for SQL Injection What are some open source utilities I can use to test a web page for SQL Injection vulnerability (MySQL), and what coding practices can be implemented to prevent the exploit?
Current thread:
- Re: Test for SQL Injection Jon Herron (Oct 27)
- <Possible follow-ups>
- Re: Re: Test for SQL Injection anthony_cicalla (Oct 29)