1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Is there a way to test my website against sql injection?

Discussion in 'General Security' started by Dano2, Mar 5, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Dano2

    Dano2 Thread Starter

    Joined:
    Nov 30, 1999
    Messages:
    962
    Hi,
    I have a friend at work in security. He mentioned something about sql injection and said
    I should check my site to see if it is vulnerable to that.

    Is there any way I can test my site for that? also whats some of the other things a person
    can do to make sure their site is secure from being hacked into?

    Thanks. Dan
     
  2. antimoth

    antimoth

    Joined:
    Aug 8, 2009
    Messages:
    361
    Does your website use an SQL database that is read and changed with user information entered on it web pages? If not, then you don't have to worry about it.

    If you do, then it will depend on who wrote the software. If you bought a third party application that is popular and well known and with a reputation for security, then maybe you don't worry.

    If your friend is good, buy him lunch and have him look at your website. It's a complex topic, which you will see if you Google it.
     
  3. Dano2

    Dano2 Thread Starter

    Joined:
    Nov 30, 1999
    Messages:
    962
    Hi and thanks. I did buy a third party software that has a customer order page for their shipping address information etc. It then connects to paypal. I bought it because it can give me more options for USPS shipping rates, product quantity options etc and again more options than PayPal, and then it takes the customer to Paypal where they complete the transaction.

    I believe it does use a sql database that hooks up to my host. I checked with the Company I bought it from and they said it is very secure and passes all hackersafe tests.
     
  4. Dano2

    Dano2 Thread Starter

    Joined:
    Nov 30, 1999
    Messages:
    962
    Does anyone know of a free site where a person can test their site?
     
  5. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    10,775
    I don't think a web site can test out your software. SQL injection is carried out by placing illegal crafted input into data fields on your web pages. You need a person to carry out those tests - its called penetration testing. I think if you google for it, you can find companies that does that.
     
  6. Dano2

    Dano2 Thread Starter

    Joined:
    Nov 30, 1999
    Messages:
    962
    Then what is the best way to protect your website from hackers?
     
  7. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    10,775
    The best way is to protect a web site with interactive features is to have security designed in before one starts coding. And then do extensive validation in the code of all user supplied inputs. In your case, since you bought 3rd party software, there is no way to control that. You can have a penetration test done, then you will be given a list of security problems, if there's any, and how to rectify them. Hand it over to the software company and have them fix the problems. If the pen test reveals no security problems, then you can rest easy.
     
  8. Dano2

    Dano2 Thread Starter

    Joined:
    Nov 30, 1999
    Messages:
    962
    Well that sounds easy! LOL. Well I like many others created my own website using a tool such at Dreamweaver. As for the shopping cart piece I use Paypal. However Paypal doesn't offer all the options like USPS shipping cost, and dropdown options etc. So I bought 3rd party shopping cart software which works with Paypal. The only input is customer shipping information, no credit cartds etc, Paypal takes care of that piece.

    Never the less I just want to try and make my site as secure as possible.
     
  9. antimoth

    antimoth

    Joined:
    Aug 8, 2009
    Messages:
    361
    Do you know if you really have an MySQL database and a php script running it? Setting these up is a big pain for most newbies, and you should have remembered it. What you described could be done without a database.
     
  10. Dano2

    Dano2 Thread Starter

    Joined:
    Nov 30, 1999
    Messages:
    962
    Hi, not sure what you mean by "you should have remembered it". I posted my post because that is what I have running. The 3rd party cart that hooks up to paypal that I purchased is .PHP and I had to setup the MySQL database at my host following the instructions for the software so, the answer would be yes.

    I just went to my host and found this information in the database section where I set up the db connection.

    "Your MySQL databases are stored behind a firewall to protect your data. You can only access each one exclusively through your server. Direct access to your MySQL databases using a home PC (external ODBC connection) cannot be established"

    Oh and as far as setting up the db connection, really wasn't that hard, I just followed some simple instructions that came with the software.

    Regards, Dano2
     
  11. antimoth

    antimoth

    Joined:
    Aug 8, 2009
    Messages:
    361
    Sorry for doubting. I use "believe" when I'm at at 50% confidence level so I read it that way.

    You can always button up your end of the operation. Have your php settings per your webhost's recommendations. Have the right file permissions. Don't want your password file in plain view.

    Ask your security friend at work to poke some bad inputs into your website. Good luck.
     
  12. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    10,775
    Here's a previous post which points to an article explaining SQL Injection somewhat.
     
  13. antimoth

    antimoth

    Joined:
    Aug 8, 2009
    Messages:
    361
    Reference: http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803744

    The test is very simplistic, but will let you know if your program even considered SQL injection as a threat. Your program should be able to handle the apostrophe w/o an error. They want you to enter something like 'text. What does it do with inputs like O'Brian and O'Toole?

    _____________________________________________________________________________________
    SQL injection: To test for SQL injection bugs, peruse the application and find places where users can enter text, such as where the text is used to perform a lookup function, according to Breach. Then type a single quote character and some text: If the application shows an error message from your database, then you're likely housing an SQL injection bug.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/908039

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice