Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
Log in  ::  Register  ::  Not logged in

Review Your Code

By Steve Jones,

I hope that SQL Injection becomes a disease of the past at some point in the future, one that is eradicated from the world except for very rare, isolated cases. However that's not the state of the world now, and probably not what we'll see anytime soon. I don't often see large scale attacks, but I wasn't surprised when a piece from Denny Cherry appeared recently. 

What was disconcerting was the attack he referenced, which was automated and self-spreading, but injecting code into hacked sites that more and more users would end up with code that joins their system to a botnet. 

What's worse? Most virus detectors didn't pick up the code. 

What's really, really bad? Bored hackers, criminals, or anyone else could get details of the exploit on the Internet and start searching for injected machines they could easily alter or take control of in their own creative way.

In Denny's piece, he gives advice that's easy to follow, and shouldn't delay development time. Most developers could easily build templates to use when writing queries, or formatted the parameterized queries. Not doing so is laziness or ignorance, and it's dangerous. 

It's 2013. I'd say that if you write code after today that's susceptible to SQL Injection, you ought to be fired. Plenty of people would argue that if you've written code in the last couple of years you should be let go, but I'm offering amnesty. Go buy Denny's book. Go read about secure coding. Learn how to write code that doesn't make this kind of attack easy.

Total article views: 329 | Views in the last 30 days: 2
Related Articles

injection attack

injection attack to saeed


defending sql injection attacks

defending sql injection attacks


An Extra Defense For SQL Injection Attacks

TDSe-cure is a proxy service to SQL Server to block SQL injection attacks.


SQL Injection!

Do your developers really understand how to prevent injection attacks? Or scarier still, how many kn...


More SQL Injection

Why are sites still being hit by SQL Injection on a large scale? Steve Jones talks about a recent la...

sql injection    

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones