How to test if SQL injection is blocked?

Question

How could I test to see if SQL injection doesn't work in a textbox on my site?

Answer 1

You could use this list to create attacks against your code: http://ha.ckers.org/sqlinjection/

You also can assemble a list of 'dangerous' characters and character combinations and create (pseudo)-random input values from it.

Answer 2

you usually have to think how the data from the input field will reach the actual select. Once you know that you try to see what sort of text can you put in that field to terminate a sql statement and start another.

For example, if you have do something like this in code: 'select * from table where id = ' . $_GET['id'] and i call you with script.php?id=0%20OR%20true; drop table table; i can execute two statements.

But in general you should avoid constructing selects by concatenating. Better to use bounded parameters as another responder suggested.

Answer 3

Usual check is to just add all special symbols once in field and see if there is an SQL error. If there is no error and record is correctly inserted into DB - that's fine.

Answer 4

Just enter this String:

'";

If no escaping is in action, this will break your SQL for sure.

See this site about better Strings and this question for more info.

Answer 5

Use a mechanism that guarantees it's impossible by design, like bound parameters. Then no testing (for SQL injection resistance) is necessary.

Put another way: don't rely on ad-hoc escaping code; it's very likely you won't get it 100% correct.