SQL injection is caused by an attacker s data being used when constructing an SQL query. Identify all of the inputs your application uses and where input is used in SQL statements, and then attempt different techniques to affect the SQL statement. Refer to Chapter 16.
Sample Test Cases | |
---|---|
Test Case | Description |
Search code for SqlCommand , etc. | Several keywords can be used to form SQL queries. If a SQL query is ever constructed using user -supplied data, look for SQL injection. It is better if parameterized queries are used instead of dynamic queries. |
Search store procedures for EXEC , EXECUTE , sp_execute | If a stored procedure uses EXEC , EXECUTE , and sp_execute to form a SQL query that uses user input, SQL could be injected. |
aaa'; DROP TABLE Docs;-- | Uses a single quotation mark to break out of the current SQL query. |
aaa' DROP TABLE Docs;-- | A semicolon isn t always needed to break out of a query. |
-- Comment /* Comment */ // Comment | Use different commenting tricks to stop the rest of the query from being processed . |
5; DROP TABLE Docs;-- | Single quotation marks aren t needed if the input is used where a numerical value is used. |
ASC; DROP TABLE Docs | ASC and DESC are used in an SQL query to order the results. If those values are supplied by the user, it might be possible for an attacker to cause a SQL injection. |