I run a web server where the oldest pages date about 10 years of life, and are still in old .asp.
Unfortunately I knew the answer very well. I had a bit of a nightmare last month, when I was checking my web server log and found some very strange entries like this:
DO NOT RUN THIS CODE ON YOUR DB OR IT WILL BE DESTROYED
2008-05-11 20:57:33 W3SVC2094917486 10.0.0.5 POST /Customer/Inklist.asp K=NITRO;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x44004500
41004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- 8086 - 10.0.0.1 Mozilla/3.0+(compatible;+Indy+Library) 302 0 0
(Please note I had to break the hex code adding carriage returns: you have to put that on a single line.
If you want to examine the code:
* Open a query window in SQL server;
DECLARE @S NVARCHAR(4000);
SET @S=CAST( and here add all the above hex on a sinle line [excluding the %20AS%20... of course] AS NVARCHAR(4000));
* remove EXEC(@S); code!!!
* add a SELECT @S; line at the end. )
I had to re-examine all of those old .asp pages and see if they were vulnerable (fortunately not, but it probably was a matter of good luck - or good programming style - because at that time SQL injection was something nobody had ever heard of, or at least I didn't).
A few weeks later, my firewall got the signature for this attack ("Danmec.Asprox.SQL.Injection") and now recognizes those trials blocking them before they reach IIS.
Examining the code was really interesting to me, because I had never seen such a destructive code put into action. The attacker has some brain, and deep knowledge of the SQL server internals. I tried to follow the .cn site where the html script, injected in every row of every table of the db, points (now that site is down).
Since then, my firewall reported dozen of those attacks every day.
Scary, isn't it?
Bottom line is: take SQL injection risk as a real menace. There are people out there who will try everything to destroy your work and your data, for some mysterious reason! (I hope this post doesn't give some of them some bad ideas, my purpose was the exact opposite.)