SQL Injections - How to test for it?

[hightech]

This is an unusual request.

I need to do some security testing, and part of it deals with SQL Injections. Can someone suggest ways to test for this, or if there are applications that can do this for you and spit out a report?

Thanks.

[ipxxx]

This is an unusual request.

I need to do some security testing, and part of it deals with SQL Injections. Can someone suggest ways to test for this, or if there are applications that can do this for you and spit out a report?

Thanks.

Lot of Google resources out there...
Here is one: http://www.owasp.org/index.php/Testi..._SQL_Injection



From one of the resources found in the link above:

There are two complementary and successful methods of mitigating SQL Injection attacks:

* Parameterized queries using bound, typed parameters
* Careful use of parameterized stored procedures.

I've always used the first one. Haven't created many stored procedures so can't comment on the second point.

http://www.owasp.org/index.php/Avoiding_SQL_Injection

[Flux]

If you want long enough, someone will be kind enough to test it for you

We got hit hard a month or so ago. Damn lazy coding (and security "expert" who took 4 days to do a damn thing about it).

And honestly, it doesn't matter if you're using SPs, if they're not paramaterized in your code. Can still break out of your SP, and run the injected script.