The classic recommendation to protect yourself from SQL injection is to
use parameterized queries religiously. A potential SQL injection point
is anywhere you concatenate SQL including user contributed text instead
of putting the user text into a SQL parameter.
A side effect of parameterized queries is that the SQL parser in the
RDBMS can often/usually pre-parse and optimize the parameterized queries
so they run faster.
But you probably already knew that.
That said, a magic static code analyzer that would effortlessly find all
potential SQL injection points for you would be nice. It will also be
dependent on the procedural language you are using. Are you using PHP#?
Joe wrote:
> Hey all,
>
> Can anyone (Lisa, I'm looking in your direction) recommend a decent SQL
> injection scanner? I don't really care if it's server-side or
> client-side since it's my server, and I don't need to *exploit* the
> injection points, I just need an easy way to find them. I'd like it to
> be easy to figure out, generate output or reports that are easy to
> follow and not require too much to be installed on the server.
>
> The reason I'm looking for something is that the server on which my
> company hosts its websites has been compromised and I've been putting in
> some considerable hours trying to fix things. I've removed malicious
> scripts, fixed or removed the exploited code and changed all of our
> passwords (from ssh to mysql to user accounts).
>
> Today, I happened to catch a SQL injection scan and now I'm trying to
> look down that path some more. Basically, they used one of our (many)
> poorly escaped queries to poll password data for our site login (among
> other things). Luckily, I shut the scan down before they got the
> passwords so I didn't have to have users reset them *again*.
>
> I've cleaned up a bunch of the sql code over the past could days, but
> I'm wondering if there's a way for me to scan for injections myself and
> attack code that is "more vulnerable" than others. I found sqlsus
> (http://sqlsus.sourceforge.net/), which looked pretty impressive, but it
> didn't run properly and it wasn't really a scanning tool so much as it
> was an exploiting tool. I also found Pixy
> (http://pixybox.seclab.tuwien.ac.at/pixy/), which looked pretty
> comprehensive, but the output looked a little intimidating. Plus, the
> little I read of the docs wasn't really clear about how to actually use it.
>
> Anything else anyone would recommend?
>
> -Joe
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss