Abstract
This chapter covers tips and tricks for finding SQL injection in code, from identifying where the user-controllable input can enter the application, to identifying the types of code constructs that can lead to an SQL injection exposure. In addition to manual techniques, the chapter also highlights at automating source code reviews using some of the tools available, and examples of using these tools to speed up the review process. There are two main methods of analyzing source code for vulnerabilities: static code analysis and dynamic code analysis. Static code analysis is the process of analyzing source code without actually executing the code. Dynamic code analysis is the analysis of code performed at runtime. Manual static code analysis involves reviewing source code line by line to identify potential vulnerabilities. It is very important to adopt a methodical approach when reviewing source code. The goal of the code review is to locate and analyze areas of code which may have application security implications. To perform an effective source code review and identify all potential SQL injection vulnerabilities, one is required to recognize dangerous coding behaviors, such as code that incorporates dynamic string-building techniques.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
