Re: Test for SQL Injection

[Jon Herron <leftturnsolutions () yahoo com>]

As far as coding conventions go - if using a database that supports
stored procedures, they help a lot toward avoiding sql injection
attacks.  Beyond that, mysql has a mysql_escape_string function that
can be used to escape input parameters for use in a sql query.  If you
can use mysqli (php), bind parameters are offered which are nice as
well.  Very basic rule of thumb is don't put in input param, either it
be from GET, POST, etc directly into a sql query without cleansing it
first.

 
 Thanks,


Jon Herron



----- Original Message ----
> From: Michael Condon <admin () singulartechnologysolutions com>
> To: security-basics () securityfocus com
> Sent: Sunday, October 26, 2008 2:59:08 PM
> Subject: Test for SQL Injection
>
> What are some open source utilities I can use to test a web page for SQL 
> Injection vulnerability (MySQL), and what coding practices can be 
> implemented to prevent the exploit?