How to manually attempt SQL injections on my website?

I found lots of tools which injects passwords, bucks and various stuff into others websites开发者_开发技巧.

However, I'm sure that none will work against all forms on my site.

So, I want to manually test my site for SQL injections.

What's a good way to attempt SQL injections on my website?

Do I need the database name, user name and password of the database? Do I need to know the SQL port number? How do I get started?

Take a look at this cheat sheet to try it manually. OWASP also covers the theory. You should be familiar with it in order to use automated tools effectively.

Here is a list of tools you might use.

An attacker should not already know a password for the database, but you can assume that your table names and schemas can be guessed.

Just enumerate the set of parameters that each page takes (including ones that no form actually links to and ones that are only filled by hidden parameters) and try putting special characters like quotes into them. If entering O'Reilly in a form input causes an exception, then there's a good change ' OR '' == ' will cause a whole bunch more results to come out than the programmer intended.

here is a nice post about sql injections

http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

There is no 100% reliable tool that will allow you to know whether your site is vulnerable to SQL injection or not. If there was SQL injection wouldn't exist and it wouldn't be fun :-) You may checkout sqlmap though. And here's an article describing different strings you may try entering.

http://www.unixwiz.net/techtips/sql-injection.html may be helpful.

You need to check the steps where you have used inline sql queries which are concatenating with the user input. user can input a whole sql query, which will be then executed as subquery.

Check this link too.