SQL injection tests

neilwatson has asked for the wisdom of the Perl Monks concerning the following question:

Happy CPAN day,

I have a web application that I'd like to subject to some SQL injection tests. I think it would be ideal if the tests could be rolled in to the apps existing test suite. Do such tools exist? What have you used? What would you use?

Neil Watson
watson-wilson.ca

Comment on SQL injection tests

Replies are listed 'Best First'.
Re: SQL injection tests by ww (Archbishop) on Aug 16, 2014 at 23:36 UTC
Consideration ("Mark OT") seems way off base. A quick scan of the info at the 'web application' link makes it clear that neilwatson's question relates quite directly to a project which relies on Perl5. As for the base question: OP may have to write his own tests, but a scan of CPAN (DB families and SQL familes) might lead to something relevant. check Ln42!	[reply]
Re: SQL injection tests by Anonymous Monk on Aug 17, 2014 at 08:55 UTC
I'd like to subject to some SQL injection tests Why? FWIW, https://github.com/evolvethinking/delta_reporting/blob/master/app/lib/DeltaR/Query.pm does have some weird things, like fake-oo with fake-globals, not using placeholders ...	[reply]
Re: SQL injection tests by Anonymous Monk on Aug 17, 2014 at 12:15 UTC
Simply examine the source-code to make sure that only placeholders are used, everywhere. That no SQL strings are constructed anywhere. That no literals appear anywhere in an SQL string.	[reply]
Re: SQL injection tests by chacham (Prior) on Aug 17, 2014 at 17:20 UTC
Better yet. Don't use dynamic SQL. Then there is no need for injection testing.	[reply]