correct method of testing for SQL Injections

3
votes

Hello I am developing a website and doing some penetration testing. It is built in CakePHP who have made me aware that:

CakePHP already protects you against SQL Injection if you use CakePHP's ORM methods (such as find() and save()) and proper array notation (ie. array('field' => $value)) instead of raw SQL.

However I am unsure what data to enter into my input form fields in order to test for SQL injection prevention.

I have the following tables names with simple VARCHAR attributes -

 categories: name
 clients: address, county, country, name
 items: name
 statuses: name

Would this SQL statement inputted into a form and submitted be the correct way of testing an SQL injection attempt?

DROP TABLE "categories";

After submitting this on the form the value that entered the database was:

DROP TABLE "categories";

Can I assume this means the website has been protected from an attempted SQL injection as it did not drop the categories table in my database?

3
mysqlsqldatabasesecuritycakephp
Did you follow the guidelines and use ORM methods exclusively? If so, then look at other issues such as securing access to your application and database, proper escaping of output, session hijacking, and securing sensitive pages with SSL, and mitigation against brute force password attacks. - Ami
This is geared slightly towards SQL Server, but this is always a good read for the concepts and ideas it presents: sommarskog.se/dynamic_sql.html#SQL_injection - Bridge

3 Answers

0
votes

SQL injection attack occurred when your code is not use parameterized query.SQL injection tools in How can I test my web site for SQL injection attacks?.

0
votes

Good question, but the answers are too many to put as an answer. I recommend doing some searches and reading many sites that come up to understand more.

Nice list of tools here: http://www.darknet.org.uk/tag/sql-injection-tool/

0
votes

Bear in mind that almost all automated sql-injection scanning tools only find the simplest forms of the vulnerability and miss most real-world instances of this problem.

An educated and experienced human attacker/tester will always perform a far better job and find a whole host of sqli problems that the tools don't.

However... SQL injection is one of the simplest webapp vulnerabilities to remediate. So if you have access to the source, just read it and ensure that it is correctly using bound parameters or stored procedures and never building an SQL command by appending strings together. If you see anything like 

sql = 'select col from table where x=' + variable

then alarm bells should go off. Reading and adjusting the source is almost certainly going to be far faster, easier and effective than trying to perform the kind of testing that can need years of experience to master.

See https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet