This question already has an answer here:
- How can I prevent SQL-injection in PHP? 28 answers
At work we are building a micro-CMS based solely in PHP + MySQL. Even if we try to sanitize every user input data and test every function / method, we can make mistakes. For example, if we sanitize a string with a function, let's say:
$name_surname = sanitize_str($_POST["nameSurname"], "text", 50, null, "utf8");
function sanitize_str($input, $data_type, $length, $range=null, $encoding, ...){
.... // do things.
try(){
...
}catch($e){
...
}
return $sanitized_string
}
let's imagine that I call directly
$name_surname = $_POST["nameSurname"];
I am completely open to SQL injection. Is there some automated tool that will take given URLs and will make tests in order to seek vulnerabilities? For example, detecting forms in the test URLs, autofilling the forms, submitting and finding if a MySQL error is generated.
Aucun commentaire:
Enregistrer un commentaire