Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top 15 Free SQL Injection Scanners

Posted by kdawson on Saturday May 19, 2007 @07:02PM from the looking-for-trouble dept.

J.R writes "The Security-Hacks blog has a summary of the 15 best free SQL Injection scanners, with links to download and a little information about each one. The list is intended asan aid for both web application developers and professional security auditors."

1 of 103 comments (clear)

Min score:

Reason:

Sort:

Re:Why is this needed at all? by vr · 2007-05-19 23:01 · Score: 3, Interesting

If you just make sure you always use prepared SQL statements with positional arguments, you will never have any problems with SQL injection.

Actually, that is not true, as it ignores one problem: bugs in the database drivers. Seriously, there have been bugs in database drivers that have enabled SQL injection... I specifically remember a bug in the PostgreSQL JDBC driver a while back.

I also remember seeing a JDBC driver that simply inserted arguments into the string containing the SQL statement, although I fail to remember exactly which driver that was. This was a while back, mind you, so hopefully errors like that have been fixed. :)

Until I encountered these things, I believed that positional arguments was the silver bullet. The point here is that positional arguements in itself is no guarantee, it is only a part of an API. At some point you have to trust the developers of the database driver and the database itself, of course...