Inoculation Against SQL Injection


Anyone on the database scene would have noticed a big surge in SQL Injection attacks around April this year. Developers coming cap in hand to the DBA to blame the database for a security breach and all that...

Hopefully everyone knows what SQL injection is - for those of you who don't, her's a good example.

http://imgs.xkcd.com/comics/exploits_of_a_mom.png

Technically SQL injection has nothing to do with security of the database - its really the application tier that needs to ensure that all user input is validated and where possible parameterized.

Following some boring/basic best practice like minimum rights for the application and use of stored Procs won't fully prevent SQL injection but it will certainly help mitigate any damage that it can do.

Older "classic" ASP applications seem to be the worst hit - not because the language itself is insecure, but more because people just didn't worry about SQL injection back in them there good old days when string concatenation was how things were done. Ye Hah!

To help detect SQL injection vulnerabilities in ASP applications, Microsoft has released the following FREE toolkit

http://www.microsoft.com/downloads/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en


Skip to main content