One milly-yon sites hit by a SQL Injection attack. That happened according to a headline I saw recently, with an attack similar to Lizamoon affecting seven figures worth of ASP.NET sites. How can this still be happening on large scales? I'd like to think that this was mostly at small sites that people had set up for themselves, but I'm sure some decent sized companies were involved in this.
This isn't good for your brand as a developer. If you don't know what SQL Injection is, you shouldn't be developing software. If you don't know how to code to avoid it, you shouldn't be hired by anyone to build software. If you can't write a stored procedure around a query or built a parameterized call to a database engine, you need to learn how or find another career.
It's sad that years after we've had the SQL injection problem make headlines, and change the way many companies write software, we will have thousands of applications being used every day that are still vulnerable to this type of attack. There is a lot of old code out there, but it can't remain. We are regularly adding new data to our systems, and new data to applications. There's no excuse for companies not making a complete review of older code and updating it to avoid unvalidated input or passing through queries that could be hacked.
Educate yourself, save these headlines for your boss, and ask that no new applications, including third party ones, be purchased if they haven't updated the code to prevent SQL Injection attacks.
The Voice of the DBA Podcasts
The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there. Overall RSS Feed: or now on iTunes!
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
You can also follow Steve Jones on Twitter: