Re: How can I test my web application against SQL Injections?

From: Jeff Davis <pgsql(at)j-davis(dot)com>
To: Andre Lopes <lopes80andre(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: How can I test my web application against SQL Injections?
Date: 2010-02-06 00:50:34
Message-ID: 1265417434.27481.14.camel@monkey-cat.sm.truviso.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Fri, 2010-02-05 at 21:20 +0000, Andre Lopes wrote:
> I have build a Web Application using PostgreSQL as Database. I need to
> test it against SQL Injections. What should I do? How to do an
> accurate test against SQL Injections?

There are a few things you can do, such as send various kinds of
malicious strings as input, and also try sending random data as inputs.
Remember to test the server itself, not the browser, javascript, or
other client-side variables that you can't control. Also, be sure to
test with the GUC "standard_conforming_strings" (in postgresql.conf) set
to both on and off, to make sure that it works either way.

What you _really_ need to do though is to use parameterized queries. If
all values are passed as parameters, and all SQL strings are constant,
you are guaranteed not to have any SQL injection vulnerabilities. Using
parameterized queries is dependent on the language and driver you are
using.

However, be warned: some web frameworks might take parameters, and then
try to build SQL strings from those parameters. This is error prone
(particularly with the configuration variable I mentioned above), so
don't trust the web framework if it's doing so (and request that they
fix it).

I hope this helps.

Regards,
Jeff Davis

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Josh Kupershmidt 2010-02-06 02:38:15 Re: Understanding pg_stat_user_indexes
Previous Message Steve Crawford 2010-02-06 00:32:58 Re: Understanding pg_stat_user_indexes