Re: How can I test my web application against SQL Injections?

Hi Andre,

  What we do at my job to avoid SQL injections (PHP example):
   for every web variable that comes from _POST or _GET:
   if we expect a integer:
     $x = intval($_GET['x']);
   if we expect money:
     $x = sprintf("%.2f",$_GET['x'])
   if we expect string:
     $x = pg_escape_string($_GET['x'])
   if we expect boolean (checkbox for example)
     $x = $_GET['x'] ? 1 : 0;

   there are other cases, but that was enough to explain :-)

  we try to assure that there are no injections by svn revision/approval procedures. we do no tests, just have the rule
toreject a commit that used directly variables that came from _POST or _GET. 

  Hope that helps.
  Pedro

 ----- ORIGINAL MESSAGE ----
 FROM: Andre Lopes
 TO: pgsql-general@postgresql.org
 DATE: Fri, 5 Feb 2010 21:20:26 +0000
 SUBJECT: [GENERAL] How can I test my web application against SQL
Injections?
    Hi,

 I have build a Web Application using PostgreSQL as Database. I need
to test it against SQL Injections. What should I do? How to do an
accurate test against SQL Injections?

 Best Regards,