Background
The classic web flaw and still common: user-typed input passed directly to a database or system command.
Questions to ask yourself
- Did the developer use a recognised framework with built-in protection?
- Has the site been scanned for SQL injection?
- Are we running a hand-rolled PHP or classic ASP site from 2015?
- Are we relying on the developer's memory of which fields need escaping?
What you can do today
Use frameworks; verify with a free scanner
Modern frameworks make injection hard if used properly.
- 01Insist that parameterised queries (or the framework's ORM) are used everywhere.
- 02Run a free automated scan with OWASP ZAP.
- 03For business-critical applications, pay for a penetration test.