SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. Mostly user input is not filtered by the script, is then passed into a SQL statement.
SQL injection test tool was created for beginner webmasters. The tool will perform simple test to check whether a webpage is vulnerable to SQL injection. It cannot determine vulnerability for sure, but will at least try.
Parameters
The tool expects an URL with parameters, like this:
http://www.example.com/articles/article.php?id=123&topic=injection
It will not work if URL does not contain parameters. For example tool will not be able to check following URL:
http://www.example.com/articles/article.php
How SQL Injection Test works
Script does parse URL provided, and modifies parameters to simulate simple SQL injection (adds double and single quotes).
If resulting page contains error message generated by database management system (like MySQL, MSSQL, etc.) then script is most likely vulnerable to SQL injection. In this case SQL Injection Test tool will produce a warning.
You might be interested in other
online tools.
Webmaster
October 5, 2007
Please add vulnerability scan for mod-rewrited urls.
johan [anti-spam] tagor.net
November 4, 2007
What should I do to clean up the warning of "Database error detected. The webpage is either vulnerable to SQL injection, or user input is not correctly sanitized."
I don't mind to pay for the service.
Cheers.
Havrekex
November 6, 2007
Seems to say database error on everything I throw at it
November 6, 2007
Yes it sure does always send a fear monger message, in fact the author of this site might what to check their own pages as they report the same issue every other site does :-)
Admin: Fixed. Newly added error detection pattern was causing this. Thank you for posting!
me [anti-spam] dash.za.net
December 2, 2007
hey,
Nice...I am currently working on something very similar, except it crawls the whole site and injects every GET parameter found in page links.
I would really appreciate it if you would please mail me some of your string signatures that you use to detect sql injection, currently all I'm looking for is "unclosed quotation mark".
Thanks a lot.
DASH
December 14, 2007
Hi...
I have a question. I have read papers on AMNESIA, SQLDOM...do they come under automated tools to detect SQL injection?
It will be great if someone can answer my question. Thank you!
Richard
December 25, 2007
Nice work,
I use it to test my site
January 3, 2008
Doesn't work for me...
February 12, 2008
Everytime i check the link displays result as "Test did not reveal SQL injection vulnerability."
February 19, 2008
<script>alert("xss");</script>
BlzOfHk
March 25, 2008
Doesn't work for me too , but thank u anyway
hi
May 21, 2008
Author please check it once before u say others!!
newkaiza [anti-spam] web.de
June 12, 2008
Hello great tool,
is that possible that i can get the sources ?
June 21, 2008
The site fails to pic up some preaty major inj that are common knowlage to most "internet" people
October 4, 2008
öhm... lol
i know why i prefer to check sites manual.
tried 4 sites which has definitely a valnurability. But this check said: "Test did not reveal SQL injection vulnerability."
October 7, 2008
deffinetly have some problems with this test, just had a recent attack on my website from sql injection and it cones up negative
November 13, 2008
It doesn't catch all the SQL Injection bugs
d.rutmann [anti-spam] adanetmail.com
December 22, 2008
I recommend a service call GamaSec ( www.gamasec.com) remote online web vulnerability-assessment service
that tests web servers, web-interfaced systems and web-based applications against thousands
of known vulnerabilities with dynamic testing, and by simulating web-application attacks during
online scanning. The service identifies security vulnerabilities and produces recommended
solutions that can fix, or provide a viable workaround to the identified vulnerabilities
Sumeet
January 24, 2009
LOL
Your antispam protection is quite easy to break.Why not use a captcha ???
BTW Thanks for the tool.My site was vulnerable.Just fixed it :)
February 9, 2009
f4e18b06
sebastianmano [anti-spam] gmail.com
February 10, 2009
AD
cowpus
February 14, 2009
no workie
and with a script that is *known* to be vulnerable
hmm...
February 24, 2009
You should add what exactly the scanner did. What tables it injected and etc..
saira
February 26, 2009
hi
i want to know one think when i enter the URL of my application that i need to be test i got time out message.now wot can i do plz help me out.
ketek90 [anti-spam] gmail.com
March 18, 2009
hi guys,,, great tools... btw you can try out this too,, tools.kerinci.net/?x=injector
April 17, 2009
http://www.zubrag.com/tools/sql-injection-test.php
WARNING! Database error detected. The webpage is either vulnerable to SQL injection, or user input is not correctly sanitized.
URL tested: http://www.zubrag.com/tools/sql-injection-test.php
April 17, 2009
Instructions say: It will not work if URL does not contain parameters.
The url you tested does not expect parameters, so the result is unexpected
April 28, 2009
Test did not reveal SQL injection vulnerability.
joe2owl [anti-spam] yahoo.com
May 21, 2009
Try to use fuzzers to find SQL Injection vulnerabilities. I recommend Powerfuzzer http://www.powerfuzzer.com. It can find SQL Injection in Microsoft SQL Server, MySQL, Postgres and IBM DB2.
thenin
June 12, 2009
exactly
WARNING! Database error detected. The webpage is either vulnerable to SQL injection, or user input is not correctly sanitized.
URL tested: http://www.zubrag.com/tools/sql-injection-test.php
You might be interested in other online tools.
Comments
shafiq
June 12, 2009
hello i am shaiq from Mirpur Azd Kashmir Pakistan.. kindly tell me wot kind of bug pro grammars did during code..? which a hacker can easily access to database..
June 23, 2009
This doesn't work at all. I tested a site that I KNEW had an SQL injection vulnerability. And it didn't work.
teste
June 30, 2009
<script>alert'hehe'</script>
July 1, 2009
Nice to have multiple opinions.
Error based and blind available here - http://www.hackertarget.com/
