Thread: How can I test my web application against SQL Injections?
Hi,
I have build a Web Application using PostgreSQL as Database. I need to test it against SQL Injections. What should I do? How to do an accurate test against SQL Injections?
Best Regards,
I have build a Web Application using PostgreSQL as Database. I need to test it against SQL Injections. What should I do? How to do an accurate test against SQL Injections?
Best Regards,
On Fri, 2010-02-05 at 21:20 +0000, Andre Lopes wrote: > I have build a Web Application using PostgreSQL as Database. I need to > test it against SQL Injections. What should I do? How to do an > accurate test against SQL Injections? There are a few things you can do, such as send various kinds of malicious strings as input, and also try sending random data as inputs. Remember to test the server itself, not the browser, javascript, or other client-side variables that you can't control. Also, be sure to test with the GUC "standard_conforming_strings" (in postgresql.conf) set to both on and off, to make sure that it works either way. What you _really_ need to do though is to use parameterized queries. If all values are passed as parameters, and all SQL strings are constant, you are guaranteed not to have any SQL injection vulnerabilities. Using parameterized queries is dependent on the language and driver you are using. However, be warned: some web frameworks might take parameters, and then try to build SQL strings from those parameters. This is error prone (particularly with the configuration variable I mentioned above), so don't trust the web framework if it's doing so (and request that they fix it). I hope this helps. Regards, Jeff Davis
Hi Andre, What we do at my job to avoid SQL injections (PHP example): for every web variable that comes from _POST or _GET: if we expect a integer: $x = intval($_GET['x']); if we expect money: $x = sprintf("%.2f",$_GET['x']) if we expect string: $x = pg_escape_string($_GET['x']) if we expect boolean (checkbox for example) $x = $_GET['x'] ? 1 : 0; there are other cases, but that was enough to explain :-) we try to assure that there are no injections by svn revision/approval procedures. we do no tests, just have the rule toreject a commit that used directly variables that came from _POST or _GET. Hope that helps. Pedro ----- ORIGINAL MESSAGE ---- FROM: Andre Lopes TO: pgsql-general@postgresql.org DATE: Fri, 5 Feb 2010 21:20:26 +0000 SUBJECT: [GENERAL] How can I test my web application against SQL Injections? Hi, I have build a Web Application using PostgreSQL as Database. I need to test it against SQL Injections. What should I do? How to do an accurate test against SQL Injections? Best Regards,