Hey all,
Can anyone (Lisa, I'm looking in your direction) recommend a decent SQL
injection scanner? I don't really care if it's server-side or
client-side since it's my server, and I don't need to *exploit* the
injection points, I just need an easy way to find them. I'd like it to
be easy to
On Tue, Dec 1, 2009 at 7:16 PM, Joe li...@joefleming.net wrote:
Hey all,
Can anyone (Lisa, I'm looking in your direction) recommend a decent SQL
injection scanner? I don't really care if it's server-side or
client-side since it's my server, and I don't need to *exploit* the
injection
The classic recommendation to protect yourself from SQL injection is to
use parameterized queries religiously. A potential SQL injection point
is anywhere you concatenate SQL including user contributed text instead
of putting the user text into a SQL parameter.
A side effect of parameterized
It's not going to find everything, and it's definitely not a fully-automated
tool, but I find the SQLInjectMe plugin for Firefox to be a very useful tool
for SQL injection testing.
For more automated scanning, you might try Wikto
(http://www.sensepost.com/research/wikto/), although I don't
Joseph Sinclair gives us the experiential slant, as usual!
*
*
I like the full set of Backend tools from OWASP:
http://www.owasp.org/index.php/OWASP_Backend_Security_Project_Tools i.e.
SQL Dumper
I really like the OWASP site for their comprehensive study of this subject:
