SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Review Your Code

By Steve Jones,

I hope that SQL Injection becomes a disease of the past at some point in the future, one that is eradicated from the world except for very rare, isolated cases. However that's not the state of the world now, and probably not what we'll see anytime soon. I don't often see large scale attacks, but I wasn't surprised when a piece from Denny Cherry appeared recently. 

What was disconcerting was the attack he referenced, which was automated and self-spreading, but injecting code into hacked sites that more and more users would end up with code that joins their system to a botnet. 

What's worse? Most virus detectors didn't pick up the code. 

What's really, really bad? Bored hackers, criminals, or anyone else could get details of the exploit on the Internet and start searching for injected machines they could easily alter or take control of in their own creative way.

In Denny's piece, he gives advice that's easy to follow, and shouldn't delay development time. Most developers could easily build templates to use when writing queries, or formatted the parameterized queries. Not doing so is laziness or ignorance, and it's dangerous. 

It's 2013. I'd say that if you write code after today that's susceptible to SQL Injection, you ought to be fired. Plenty of people would argue that if you've written code in the last couple of years you should be let go, but I'm offering amnesty. Go buy Denny's book. Go read about secure coding. Learn how to write code that doesn't make this kind of attack easy.

Total article views: 332 | Views in the last 30 days: 1
Related Articles

injection attack

injection attack to saeed


defending sql injection attacks

defending sql injection attacks


An Extra Defense For SQL Injection Attacks

TDSe-cure is a proxy service to SQL Server to block SQL injection attacks.


4 Common Misconceptions About SQL Injection Attacks

Photo by Jaanus Jagomägi on UnsplashInterested in learning more about SQL injection attacks, includi...


SQL Injection!

Do your developers really understand how to prevent injection attacks? Or scarier still, how many kn...

sql injection