Hi Andre,
What we do at my job to avoid SQL injections (PHP example):
for every web variable that comes from _POST or _GET:
if we expect a integer:
$x = intval($_GET['x']);
if we expect money:
$x = sprintf("%.2f",$_GET['x'])
if we expect string:
$x = pg_escape_string($_GET['x'])
if we expect boolean (checkbox for example)
$x = $_GET['x'] ? 1 : 0;
there are other cases, but that was enough to explain :-)
we try to assure that there are no injections by svn revision/approval procedures. we do no tests, just have the rule
toreject a commit that used directly variables that came from _POST or _GET.
Hope that helps.
Pedro
----- ORIGINAL MESSAGE ----
FROM: Andre Lopes
TO: pgsql-general@postgresql.org
DATE: Fri, 5 Feb 2010 21:20:26 +0000
SUBJECT: [GENERAL] How can I test my web application against SQL
Injections?
Hi,
I have build a Web Application using PostgreSQL as Database. I need
to test it against SQL Injections. What should I do? How to do an
accurate test against SQL Injections?
Best Regards,