false flag SQLi in this string

24 December 2017, 04:37

when i insert this string in my form " Orange (" (without quotation marks) then my hiawatha v10.7 detects an "SQL Injection Detected
441". Can anyone reproduce this behavior?

Merry Christmas
24 December 2017, 04:43
this is the string urlencoded: +Orange+%28
Hugo Leisink
24 December 2017, 13:32
I can confirm. I know Hiawatha's SQL injection ain't perfect. False positives is a side effect of the attempt to detect most SQL injections. Just don't have it enabled all the time. It is not meant to be a replacement for secure code. I quote from the Hiawatha manual:
Don't use this as a generic security feature. Only use it to prevent a specific vulnerablility in an application that can't be taken offline while you wait for a patch.
This topic has been closed.