Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

Review Your Code

By Steve Jones,

I hope that SQL Injection becomes a disease of the past at some point in the future, one that is eradicated from the world except for very rare, isolated cases. However that's not the state of the world now, and probably not what we'll see anytime soon. I don't often see large scale attacks, but I wasn't surprised when a piece from Denny Cherry appeared recently. 

What was disconcerting was the attack he referenced, which was automated and self-spreading, but injecting code into hacked sites that more and more users would end up with code that joins their system to a botnet. 

What's worse? Most virus detectors didn't pick up the code. 

What's really, really bad? Bored hackers, criminals, or anyone else could get details of the exploit on the Internet and start searching for injected machines they could easily alter or take control of in their own creative way.

In Denny's piece, he gives advice that's easy to follow, and shouldn't delay development time. Most developers could easily build templates to use when writing queries, or formatted the parameterized queries. Not doing so is laziness or ignorance, and it's dangerous. 

It's 2013. I'd say that if you write code after today that's susceptible to SQL Injection, you ought to be fired. Plenty of people would argue that if you've written code in the last couple of years you should be let go, but I'm offering amnesty. Go buy Denny's book. Go read about secure coding. Learn how to write code that doesn't make this kind of attack easy.

 
Total article views: 332 | Views in the last 30 days: 2
 
Related Articles
FORUM

injection attack

injection attack to saeed

FORUM

defending sql injection attacks

defending sql injection attacks

ARTICLE

An Extra Defense For SQL Injection Attacks

TDSe-cure is a proxy service to SQL Server to block SQL injection attacks.

ARTICLE

SQL Injection!

Do your developers really understand how to prevent injection attacks? Or scarier still, how many kn...

ARTICLE

More SQL Injection

Why are sites still being hit by SQL Injection on a large scale? Steve Jones talks about a recent la...

Tags
editorial    
security    
sql injection    
 
Contribute