Testing for SQL Injection Vulnerability

By Regina Kwon  |  Posted 2002-11-01 Print this article Print

Will your Web site pass our security tests?

Testing for SQL Injection Vulnerability
Step 1. Open the Web site in a browser.
Step 2. Find a script.

 align=Look for common scripting-language file extensions--Microsoft Active Server Pages (*.asp) and Macromedia ColdFusion (*.cfm) scripts are usually the most vulnerable. The search field is your best bet; the Uniform Resource Locator (URL) on the results page will likely contain a script. Also try hovering your cursor over links while watching the bottom status bar. If the status bar doesn't display URLs, click on links and watch the address bar until you find a URL that has parameters.

Step 3. Begin testing.

Once you are on a page whose URL contains parameters, you are ready to test for SQL Injection vulnerability. There are two methods. Be sure to test each parameter value, one at a time, with each method.

Method 1. In the address bar URL, highlight a paramter value. Replace it with a single quote.


Method 2. Instead of highlighting the entire parameter value, click inside the value and type a single quote.


Step 4. Send request.

Press the Enter or Return key. This will send your request to the Web server.

Step 5. Look for database error message.

Most will look similar to the examples below.

Example 1.


Sometimes the error message does not display on screen. To find it, you may have to search the HTML source of the page. (View | Source in Microsoft Internet Explorer or View | Page Source in Netscape.) A document will open. Use that program's search tool to look for either of these phrases:

Microsoft OLE DB



Step 6. Learn more.

If you see one of the error messages shown or find Microsoft OLE DB or [ODBC] in the source code, then the site is vulnerable to SQL Injection. Read SPI Dynamics' SQL Injection white paper for advice on how to fix this vulnerability.

As Statistics Editor of Baseline magazine, Regina creates interactive tools, worksheets and project guides for technology managers. Before joining Ziff Davis, she worked as a technical program manager for a database company, where her projects included data management applications in XML, Java, Visual Basic and ASP. Her other experience includes running the new media department at Christie's Inc. and writing and editing for Internet World and PC Magazine. Regina received a B.A. from Yale.

Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.