Participants
Andre Lopes
Andre Lopes
Jeff Davis
Jeff Davis
Pedro Zorzenon Neto
Pedro Zorzenon Neto
Attachments
Show all attachments
Thread Outline
#1Andre LopesAndre Lopes
Feb 05, 2010
#2Jeff DavisJeff Davisto Andre Lopes (#1)
Feb 06, 2010
#3Pedro Zorzenon NetoPedro Zorzenon Netoto Jeff Davis (#2)
Feb 06, 2010

How can I test my web application against SQL Injections?

Started by Andre Lopesabout 16 years ago3 messagesgeneral
Jump to latest
#1Andre Lopes
Andre Lopes
lopes80andre@gmail.com

Hi,

I have build a Web Application using PostgreSQL as Database. I need to test
it against SQL Injections. What should I do? How to do an accurate test
against SQL Injections?

Best Regards,

#2Jeff Davis
Jeff Davis
pgsql@j-davis.com
In reply to: Andre Lopes (#1)
Re: How can I test my web application against SQL Injections?

On Fri, 2010-02-05 at 21:20 +0000, Andre Lopes wrote:

I have build a Web Application using PostgreSQL as Database. I need to
test it against SQL Injections. What should I do? How to do an
accurate test against SQL Injections?

There are a few things you can do, such as send various kinds of
malicious strings as input, and also try sending random data as inputs.
Remember to test the server itself, not the browser, javascript, or
other client-side variables that you can't control. Also, be sure to
test with the GUC "standard_conforming_strings" (in postgresql.conf) set
to both on and off, to make sure that it works either way.

What you _really_ need to do though is to use parameterized queries. If
all values are passed as parameters, and all SQL strings are constant,
you are guaranteed not to have any SQL injection vulnerabilities. Using
parameterized queries is dependent on the language and driver you are
using.

However, be warned: some web frameworks might take parameters, and then
try to build SQL strings from those parameters. This is error prone
(particularly with the configuration variable I mentioned above), so
don't trust the web framework if it's doing so (and request that they
fix it).

I hope this helps.

Regards,
Jeff Davis

#3Pedro Zorzenon Neto
Pedro Zorzenon Neto
pedro2009@mandic.com.br
In reply to: Jeff Davis (#2)
Re: How can I test my web application against SQL Injections?

Hi Andre,

What we do at my job to avoid SQL injections (PHP example):
for every web variable that comes from _POST or _GET:
if we expect a integer:
$x = intval($_GET['x']);
if we expect money:
$x = sprintf("%.2f",$_GET['x'])
if we expect string:
$x = pg_escape_string($_GET['x'])
if we expect boolean (checkbox for example)
$x = $_GET['x'] ? 1 : 0;

there are other cases, but that was enough to explain :-)

we try to assure that there are no injections by svn revision/approval procedures. we do no tests, just have the rule to reject a commit that used directly variables that came from _POST or _GET.

Hope that helps.
Pedro

----- ORIGINAL MESSAGE ----
FROM: Andre Lopes
TO: pgsql-general@postgresql.org
DATE: Fri, 5 Feb 2010 21:20:26 +0000
SUBJECT: [GENERAL] How can I test my web application against SQL
Injections?
  Hi,

I have build a Web Application using PostgreSQL as Database. I need
to test it against SQL Injections. What should I do? How to do an
accurate test against SQL Injections?

Best Regards,

 

Import Notes
Resolved by subject fallback
← Back to Topics