Slashdot Mirror

← Back to Stories (view on slashdot.org)

Top 15 Free SQL Injection Scanners

Posted by kdawson on from the looking-for-trouble dept.

J.R writes "The Security-Hacks blog has a summary of the 15 best free SQL Injection scanners, with links to download and a little information about each one. The list is intended asan aid for both web application developers and professional security auditors."

3 of 103 comments (clear)

  1. Why is this needed at all? by Anonymous Coward · · Score: 5, Insightful
    If you just make sure you always use prepared SQL statements with positional arguments, you will never have any problems with SQL injection.

    I suppose the over-use of PHP (which for a long time didn't even support prepared statements (does it even do it today?)) combined with stupid users that created the current situation.

    1. Re:Why is this needed at all? by mabinogi · · Score: 5, Informative

      It's the completely wrong answer to the problem though, as it still promotes the idea of using SQL built by string concatenation.
      The result being that SQL injection is only one forgotten function call away.

      --
      Advanced users are users too!
    2. Re:Why is this needed at all? by hclyff · · Score: 5, Insightful

      Every language allows you to write libraries which do things properly. The language is not a limiting factor here. PHP did not for a long time. And no, I don't believe that "magic quotes" allows you to write secure code properly. Any framework which relies on string concatenation for building an SQL command is inviting insecure code, because the programmer has to *actively* seek to fix injection problems. There is statistical certainty he will overlook something sooner or later. Coupled with the fact that PHP4 was (is?) prevalent compared to PHP5/6 for a long time, it just might be the single most contributing factor to why are SQL injections so common.