31 May 2008 09:53
SQL Injection Attacks - No excuse for slopping programming
I cannot emphasise enought the importance of understanding the absolute basic security principles when developing applications that connect to and run SQL against any database product.
If you are doing application development that requires database access and don't fully understand the term "SQL Injection" then really - stop what you are doing; you are doing in code the equivalent of going out and buying a car then driving it away when you've had no driving lessons and don't understand the basics - accelerator and braking. SQL Injection needs only 15 minutes of your reading time to understand and prevent.
This is not a web server problem, it's not a database problem - it's a human coder problem and as such it can only be fixed by you.
Extract from Buck Woody's blog: http://blogs.msdn.com/buckwoody/archive/2008/05/30/sql-injection-attacks.aspx
"You might have read recently that there have been ongoing SQL injection attacks against vulnerable web applications occurring over the last few months. These attacks have received recurring attention in the press as they pop up in various geographies around the world. These attacks do not leverage any SQL Server vulnerabilities or any un-patched vulnerabilities in any Microsoft product – the attack vector is vulnerable custom applications. In fact, SQL Injection is a coding issue that can attack any database system, so it's a good idea to learn how to defend against them.
In order to help you respond to and defend yourself from these attacks, Microsoft has an authoritative blog including talking points and guidance. You can find this at http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx. "
Filed under: SQL Server, SQL Development