I am always interested in hacking, I understand the concept of SQL injection and cross site scripting. However, the thing I don’t know is how to detecting a possible SQL injection. I have checked some books, but I didn’t get too much information. Do hackers do the detection work by hand or they have smarter automatic tools?

So, I’m thinking of writing a simple tool to do automatic injection check (using qwebkit). I want to capture the http requests before sending them and replace some form data of the http header with SQL injection commands. The program checks the http response and compare it with a normal response and reports any difference.

The thing is that I have never found a SQL injection myself, so is this idea valid?

Say, if I successfully upgrade myself to administrator of certain website, the returned http response should look normal. So I shouldn’t be able to automatically report that with my program?