Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

The Voice of the DBA

Steve Jones is the editor of SQLServerCentral.com and visits a wide variety of data related topics in his daily editorial. Steve has spent years working as a DBA and general purpose Windows administrator, primarily working with SQL Server since it was ported from Sybase in 1990. You can follow Steve on Twitter at twitter.com/way0utwest

SQL Injection - It's Not Just Me!!

I have a personal web site I set up years ago, mainly so I could post stuff for my extended family and kind of keep a log of my life. Back then it was a "weblog" instead just a blog and there wasn’t much software around for the Windows world. Plenty for the *nix world, and there was Moveably Type, but I wanted a SQL Server based solution. So I wrote my own, added some simple features and it worked great for me.

I added in some other interests, and like many people in the 2000-2001 timeframe, I assumed most people would come to look at the site and not attack it. After all, it’s just pictures and thoughts and comments from me.

Apparently not!

Last week, F-Secure, a security vendor, got hit by a SQLInjection attack, which is also what happened to my site a few weeks back. I was on my way back from the UK, arrived at home to find Google had marked my site as a malicious site. I ended up spending hours cleaning out the database, even whacking some data, and eventually removing all the “script” stuff that had been inserted.

Embarrassing for me, but way worse for a security vendor.

We all want to get things done, be effective, and sometimes that means quick and dirty, throwing up pages on a web site to put out information quickly. However those quick and dirty efforts still need to conform to some good security practices. Especially these days, with worms like Conficker out there.

Comments

No comments.

Leave a Comment

Please register or log in to leave a comment.