Background
The classic web flaw and still common: when user-typed input gets passed directly to a database or system command, an attacker types something like '; DROP TABLE customers;-- and the database obediently does it.
Questions to ask yourself
- Did the developer use a recognised framework with built-in protection?
- Has the site been scanned for SQL injection?
- Are we running a hand-rolled PHP or classic ASP site from 2015?
For owners — questions to ask your developer
Questions to ask your developer
You don't need to know what a parameterised query is — you just need to ask the right questions.
- 01“Are parameterised queries (or the framework's ORM) used everywhere — or are we still building SQL strings by hand anywhere?”
- 02“Has the site been scanned with OWASP ZAP or a similar tool? When? Can you run one now and share the report?”
- 03Decision: For business-critical apps, commission a penetration test at launch (£3k–£10k) and annually after.