On Fri, 2010-02-05 at 21:20 +0000, Andre Lopes wrote: > I have build a Web Application using PostgreSQL as Database. I need to > test it against SQL Injections. What should I do? How to do an > accurate test against SQL Injections? There are a few things you can do, such as send various kinds of malicious strings as input, and also try sending random data as inputs. Remember to test the server itself, not the browser, javascript, or other client-side variables that you can't control. Also, be sure to test with the GUC "standard_conforming_strings" (in postgresql.conf) set to both on and off, to make sure that it works either way. What you _really_ need to do though is to use parameterized queries. If all values are passed as parameters, and all SQL strings are constant, you are guaranteed not to have any SQL injection vulnerabilities. Using parameterized queries is dependent on the language and driver you are using. However, be warned: some web frameworks might take parameters, and then try to build SQL strings from those parameters. This is error prone (particularly with the configuration variable I mentioned above), so don't trust the web framework if it's doing so (and request that they fix it). I hope this helps. Regards, Jeff Davis -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
