Home page logo
/

basics logo Security Basics mailing list archives

Re: Test for SQL Injection
From: "Michael Condon" <admin () singulartechnologysolutions com>
Date: Tue, 4 Nov 2008 19:04:01 -0600

Thanks for the input - I was using some effective server side field validation, but am adding mysql_real_escape_string (I think this replaces mysql_escape_string) will help as well - kind of like a belt and suspenders. Where are some other resources for safe/best coding practices in other languages - ASP, etc.? ----- Original Message ----- From: "Jon Herron" <leftturnsolutions () yahoo com> To: "Michael Condon" <admin () singulartechnologysolutions com>; <security-basics () securityfocus com>
Sent: Monday, October 27, 2008 9:54 AM
Subject: Re: Test for SQL Injection


As far as coding conventions go - if using a database that supports
stored procedures, they help a lot toward avoiding sql injection
attacks.  Beyond that, mysql has a mysql_escape_string function that
can be used to escape input parameters for use in a sql query.  If you
can use mysqli (php), bind parameters are offered which are nice as
well.  Very basic rule of thumb is don't put in input param, either it
be from GET, POST, etc directly into a sql query without cleansing it
first.


Thanks,


Jon Herron



----- Original Message ----
From: Michael Condon <admin () singulartechnologysolutions com>
To: security-basics () securityfocus com
Sent: Sunday, October 26, 2008 2:59:08 PM
Subject: Test for SQL Injection

What are some open source utilities I can use to test a web page for SQL
Injection vulnerability (MySQL), and what coding practices can be
implemented to prevent the exploit?







  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]