Skip to content

Instantly share code, notes, and snippets.

@CoditCompany

CoditCompany/Automating-SQL-Injection-Discovery.fs

Last active August 31, 2018 11:55
Show Gist options
  • Save CoditCompany/4e0a3d2d3a55e4d89edaffd846823ba0 to your computer and use it in GitHub Desktop.
Save CoditCompany/4e0a3d2d3a55e4d89edaffd846823ba0 to your computer and use it in GitHub Desktop.
Download ZIP
Automating SQL Injection Discovery with FSec
Raw
Automating-SQL-Injection-Discovery.fs
let getOrderIdsForName name =
use con = new SqlConnection "my-connection-string"
con.Open ()
let sql = "SELECT OrderId FROM Orders WHERE Client = " + name
use cmd = new SqlCommand (sql, con)
cmd.CommandType <- CommandType.Text
let rdr = cmd.ExecuteReader ()
seq { while rdr.Read () do
yield rdr.["OrderId"] |> string }
[<Property>]
let ``discover SQL injection`` () =
FSec.sqlInject
|> Arb.fromGen
|> Prop.forAll <|
(getOrderIdsForName >> ignore)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment