How to fix Server Status Code: 302 Found by SQL Inject Me Firefox Addon

Question

I scanned my login script using SQL Inject Me Firefox addon

According to the Test Results, my script was vulnerable to SQL Injection. Result by example

Answer 1

Some penetration testing tools prefer servers to return no error messages or at least very generic messages. For example, on the SQL Inject Me page it says

The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.

So perhaps when it sees the 302 response code, it assumes that your app is returning too much information. You can test this theory by setting a different status code for your response and seeing if SQL Inject Me still gives an error, like so:

header('HTTP/1.1 404 Not Found');

Of course, sending them a 404 won't help your user find their way back to the login page, so you may have to experiment with other 3XX messages, perhaps 303 or 307.