Top 15 Free SQL Injection Scanners 103
J.R writes "The Security-Hacks blog has a summary of the 15 best free SQL Injection scanners, with links to download and a little information about each one. The list is intended asan aid for both web application developers and professional security auditors."
Re:Why is this needed at all? (Score:2, Informative)
Re:Why is this needed at all? (Score:5, Informative)
The result being that SQL injection is only one forgotten function call away.
Re:what exactly is an sql injection? (Score:4, Informative)
e.g.
'select * from employees where fullName like ' + mySQLInjectedInputFromUser
where mySQLInjectedInputFromUser has been asssigned a value entered by the user:-
Fred Flinstone; GO; delete employees; GO
Validating Input (Score:2, Informative)
One of the best SQL injection attacks I've seen... (Score:5, Informative)
I was able to change an innocuous 'select
This was nicely reported back to me as a SQL error stating that SQL was unable to convert "sdfsdfsdfsdf" into an integer, where "sdfsdfsdfsdf" was user id 1's password. I reported the problem to the site's owners, and it was still a month before they fixed it.
Moral of story - don't show the users any SQL errors, it gives them far too much information.