0

I just needed some help regarding validating links for sql injection automatically.

For instance: There is a site so called as

http://www.example.com/news.php?id=13

After inserting quotation at the end we get an MySql error like this

http://www.example.com/news.php?id=13'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' order by Sort DESC Limit 0,12' at line 1

So i was wondering is there any way by which i can check these links for errors automated. Like before the injected url execution it should show normal status but after injection it should show abnormal status.

NOTE: I am not talking about my website. I am developing an application online that will be free for developers for checking there site security.

Any help will be appreciated :)

Nida Zubair
  • 23
  • 2
  • 5
  • How would you detect if the site threw an error? Any half-way decent production site would not be displaying server-side errors to the user, or only showing "sorry, something exploded" and no details. – Marc B Feb 09 '12 at 22:34
  • This is sort of an ironic question, but snide remarks aside I think you should update your post with the actual query you're running. It might be a simple syntax error. – Kai Qing Feb 09 '12 at 22:35
  • just check this site for instance http://www.bonsaitrees.com/gallery.php?id=5 after putting a quotation at the end you get sql error...http://www.bonsaitrees.com/gallery.php?id=5'..... i was wondering if there is any way to capture this error – Nida Zubair Feb 09 '12 at 22:38
  • @NidaZubair, There is a lot of such applications on the internet.. Are you gonna give it as online or offline solution ? – Shankar Narayana Damodaran Feb 09 '12 at 22:43
  • @sh4nx0r...online solution...other applications are supposed to enter direct links but my application will require only simple url like http://www.example.com/ – Nida Zubair Feb 09 '12 at 22:46
  • 1
    And that site you link is totally open to SQL injection, for example: http://www.bonsaitrees.com/gallery.php?id=5||1=1 – StudyOfCrying Feb 09 '12 at 22:57
  • Without seeing the code that you are trying to run it is hard to give you any concise advice but you should start by filtering your user input http://www.php.net/manual/en/function.filter-var.php and using prepared statements http://www.php.net/manual/en/pdo.prepare.php to avoid errors such as this. I have assumed PHP but I am sure similar functions/methods exist whatever your language of choice. – user1191247 Feb 10 '12 at 00:07

1 Answers1

0

Validating has nothing to do with injections.

Validating and injection protection are completely different tasks.

You may validate your data whatever way you like, but injection protection is completely different matter. It is data independent.

Your code have to be able to insert whatever data - links, numbers, HTML codes, binary objects - whatever. I've explained the whole matter earlier, so, I won't repeat myself.

As for the validation - you may check your links to be valid - with http:// in front and such. but again, it has nothing to do with injections.

I am developing an application online that will be free for developers for checking there site security.

Gosh! Are you sure you are experienced enough?

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345