SQL Injection Vulnerabilities

Created by: Lester Caine, Last modification: 10 Dec 2008 (08:43 UTC)
There are a number of factors affection SQL injection vulnerabilities. The main one, is the use of a range of database engines, which would each require a different version of an attack to present viable SQL. Invalid SQL will result in an error report to the administrator, and the reported 'White screen' is only returned when a site is in test mode. Production sites would be expected to have is_live set to true and so will direct error reports to the Apache/IIS logs, if enabled.
Some search functions allowed the inclusion of additional where clause SQL, but this actually conflicted with being database agnostic, and has been replaced with additional search options which are used to build the SQL internally, preventing any possible injection attack.
This page needs confirming and expanding to cover the various possible database specific potential attacks, but it is not believed that there are any remaining paths in?