Although I wouldn’t consider myself a SQL Server expert, like any good developer, I know my way around stored procedures, database normalization, and proper indexing techniques. Occasionally, I get questions from customers about SQL injection attacks. The questions are usually along the lines of: “What is SQL injection?” or “Is it really a big concern?” I can tell you that it is a very big concern, and if you’re writing web applications (on any platform), it would be irresponsible not to familiarize yourself with the exploit.
Mike Gunderloy‘s The Daily Grind 533 references a good introductory articled titled SQL Injection Attacks by Example by Stephen J. Friedl. Although the article is posted on a Unix tech tips site, its content is nonetheless germane to almost any web application on any platform. His example illustrates a SQL injection exploit on IIS 6, ASP.NET, and SQL Server.
Here are some other resources that I typically forward to curious developers:
- A section on SQL injection (along with other data access tips) in the MSDN article Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
- Advanced SQL Injection In SQL Server Applications
- (more) Advanced SQL Injection
- SQL Injection, Are Your Web Applications Vulnerable?
But, if you really want to freak out (or if you want to demonstrate to management how critical it is to worry about such issues), download the free proof-of-concept tool called Data Thief from Application Security, Inc. and a related whitepaper titled Manipulating Microsoft SQL Server Using SQL Injection. I saw this tool demonstrated at an internal security event, and the first thing that popped into my mind was: “This is Enterprise Manager for hackers.” Scary stuff.