Looking for an online sql injection tool checker [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.

Closed 8 years ago.

Improve this question

I recover an old website which is full of sql injection, I would need a tool if it exists, that crawl the whole site just by followings existing links on it, then try to put some sql injection contents into weak inputs.

I can check by myself but the site is rather big so I would prefer a crawler, to be sure i do not forget an开发者_运维技巧 entry...

thx

Ok after typing this post, I realize that I'm asking for an hacking tool, which is not the case of course :p, so any white hat techno available ?

---

You should fix your known problems before you look for automated tools.

You need to take the following steps:

1. If the site uses a framework, is the framework up to date and patched? The framework is primarily what automated tools will attack, so rather than test it, just get it up to date.
2. Where the site does its own SQL, you need to check every single SQL statement, by hand, to ensure none of them are vulnerable. That means, in every case, either converting to parameterised statements (best) or using mysql_real_escape_string() or similar if that is not practical.

You should treat the above as a much higher priority than testing tools. Don't even spend time looking for automated scanning tools until those are complete.

An automated SQL Injection tool is just not going to find all your problems, even those which are obvious to a competent attacker.

Until you have done both of the above, you will be wasting your time on automated tools.