As a followup to two previous posts about SQL Injection here
, I wanted to share another idea. This may be a bit of a stretch but I was just out walking my boss Blue (he has me well-trained) in 20F degree weather. Had a bit of an idea about finding possibly SQL Injection-Susceptible server-side web code: Using a file search utility that supports Regex (Regular Expressions) do a search of your *.vb, *.cs, *.asp, *.php, etc. files for the following Regex and similar Regexes (I probably screwed up the Regex - Regex Knowledge (tm) is not sticky for me. I have to relearn it every time I fool with it!)
This Regex should find strings embedded in the web site server code that look like the following. This code is potentially SQL Injection-Susceptible. I would recommend rewriting it so that it uses a Parameterized Query. Defining the Command.Parameter datatype and size would help validate the input too. You could also perform additional server-side validation on the input value.
string sql = "SELECT * FROM MyTable WHERE MyColumn = '" + TextBox1.Text + "';";
I have used this process to find other things in code files, but not to look for SQL Injection-Susceptible code. This idea may or may not be practical. It would be interesting to try out in a real environment. Separately from using a file find tool you could easily open web app code within Visual Studio and look for text strings such as "SELECT", "INSERT", etc. Anywhere that String Concatenation is used to build SQL and not Parameterized Queries is a potential SQL Injection target and may need to be refactored.
Please let me know what you think about this idea. Any feedback is appreciated. Thanks!