Thread: How can I test my web application against SQL Injections?
Hi,
I have build a Web Application using PostgreSQL as Database. I need to test it against SQL Injections. What should I do? How to do an accurate test against SQL Injections?
Best Regards,
I have build a Web Application using PostgreSQL as Database. I need to test it against SQL Injections. What should I do? How to do an accurate test against SQL Injections?
Best Regards,
On Fri, 2010-02-05 at 21:20 +0000, Andre Lopes wrote:
> I have build a Web Application using PostgreSQL as Database. I need to
> test it against SQL Injections. What should I do? How to do an
> accurate test against SQL Injections?
There are a few things you can do, such as send various kinds of
malicious strings as input, and also try sending random data as inputs.
Remember to test the server itself, not the browser, javascript, or
other client-side variables that you can't control. Also, be sure to
test with the GUC "standard_conforming_strings" (in postgresql.conf) set
to both on and off, to make sure that it works either way.
What you _really_ need to do though is to use parameterized queries. If
all values are passed as parameters, and all SQL strings are constant,
you are guaranteed not to have any SQL injection vulnerabilities. Using
parameterized queries is dependent on the language and driver you are
using.
However, be warned: some web frameworks might take parameters, and then
try to build SQL strings from those parameters. This is error prone
(particularly with the configuration variable I mentioned above), so
don't trust the web framework if it's doing so (and request that they
fix it).
I hope this helps.
Regards,
Jeff Davis
Hi Andre,
What we do at my job to avoid SQL injections (PHP example):
for every web variable that comes from _POST or _GET:
if we expect a integer:
$x = intval($_GET['x']);
if we expect money:
$x = sprintf("%.2f",$_GET['x'])
if we expect string:
$x = pg_escape_string($_GET['x'])
if we expect boolean (checkbox for example)
$x = $_GET['x'] ? 1 : 0;
there are other cases, but that was enough to explain :-)
we try to assure that there are no injections by svn revision/approval procedures. we do no tests, just have the rule
toreject a commit that used directly variables that came from _POST or _GET.
Hope that helps.
Pedro
----- ORIGINAL MESSAGE ----
FROM: Andre Lopes
TO: pgsql-general@postgresql.org
DATE: Fri, 5 Feb 2010 21:20:26 +0000
SUBJECT: [GENERAL] How can I test my web application against SQL
Injections?
Hi,
I have build a Web Application using PostgreSQL as Database. I need
to test it against SQL Injections. What should I do? How to do an
accurate test against SQL Injections?
Best Regards,