Re^2: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

You said that Most hackers use an up-to-date bundle of tricks, typically already in a script, to try to cause harm...and don't bother hand hacking. I didn't have much success looking that up in Google. Do you have any suggestion on resources/modules providing test cases of SQL injection or any other type of security threat? Such a module would be great for testing code safety or queries safety.

BTW, when/if possible, it always seems safer to me to check inputs in a "white list" fashion. If you check that inputs contain only letters, numbers and underscores and don't exceed a certain length, that would probably increase security by a great deal.

Comment on Re^2: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite

Replies are listed 'Best First'.
Re^3: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite by andreas1234567 (Vicar) on Jan 10, 2008 at 19:36 UTC
The Open Web Application Security Project (OWASP) project has a tool called OWASP SQLiX that fits the description. It also happens to be written in Perl (by Cedric Cochin). Download here. cedri.cc states: "All content released under a Creative Commons License unless otherwise noted." You should also read OWASP's Testing for SQL Injection article that includes a number of references to papers and tools touching the subject. -- Andreas	[reply]

Replies are listed 'Best First'.

Re^3: Preventing SQL injection attacks: Placeholders are enough for MySQL, Postgresql and SQLite
by andreas1234567 (Vicar) on Jan 10, 2008 at 19:36 UTC

Open Web Application Security Project (OWASP)

OWASP SQLiX

here

cedri.cc

All content released under a Creative Commons License unless otherwise noted."

You should also read OWASP's Testing for SQL Injection article that includes a number of references to papers and tools touching the subject.

--
Andreas

[reply]