1

How could I test to see if SQL injection doesn't work in a textbox on my site?

Seth
  • 2,043
  • 5
  • 20
  • 23
  • You'll have to be much more specific. How are you escaping the text before entering it into the database? – Savetheinternet Jan 09 '11 at 17:57
  • Can you show some internal code? i.e. how the textbox is used? There is no generic way, it depends on the query you're using – Pekka Jan 09 '11 at 17:57

5 Answers5

8

Use a mechanism that guarantees it's impossible by design, like bound parameters. Then no testing (for SQL injection resistance) is necessary.

Put another way: don't rely on ad-hoc escaping code; it's very likely you won't get it 100% correct.

Oliver Charlesworth
  • 267,707
  • 33
  • 569
  • 680
  • 1
    So how do you test if you succeeded doing so in a non trivial application? – Jens Schauder Jan 09 '11 at 17:59
  • @Jens: IMHO, this sort of thing is very difficult to unit-test meaningfully. One could choose to test using a pre-defined list of "typical" attack strings, but that doesn't really prove very much at all. This is really a question of system-level design consistency. – Oliver Charlesworth Jan 09 '11 at 18:04
  • I agree. You shouldn't need to test. Otherwise all you test is the set of inputs you test with – gbn Jan 09 '11 at 18:13
  • 1
    @gbn: To be fair, this is true of all unit tests! But this situation is rather like asking for unit tests for e.g. buffer overflow in a C++ application using the string library, just to prove that no-one's accidentally started using raw `char[]` buffers and `gets()`... – Oliver Charlesworth Jan 09 '11 at 18:16
1

Just enter this String:

'";

If no escaping is in action, this will break your SQL for sure.

See this site about better Strings and this question for more info.

Community
  • 1
  • 1
Daniel
  • 27,718
  • 20
  • 89
  • 133
1

you usually have to think how the data from the input field will reach the actual select. Once you know that you try to see what sort of text can you put in that field to terminate a sql statement and start another.

For example, if you have do something like this in code: 'select * from table where id = ' . $_GET['id'] and i call you with script.php?id=0%20OR%20true; drop table table; i can execute two statements.

But in general you should avoid constructing selects by concatenating. Better to use bounded parameters as another responder suggested.

Mihai Toader
  • 12,041
  • 1
  • 29
  • 33
1

You could use this list to create attacks against your code: http://ha.ckers.org/sqlinjection/

You also can assemble a list of 'dangerous' characters and character combinations and create (pseudo)-random input values from it.

Jens Schauder
  • 77,657
  • 34
  • 181
  • 348
0

Usual check is to just add all special symbols once in field and see if there is an SQL error. If there is no error and record is correctly inserted into DB - that's fine.

BarsMonster
  • 6,483
  • 2
  • 34
  • 47