For those not familiar with SQL injection, it’s in it’s simplest form a method of injection a SQL statement into a database server by way of hiding it in a web parameter. There’s a more detailed explanation here.
Anyway, I wanted to throw together a quick blog entry on this because SQL injection is a very common issue that affects a large number of public websites. Most of the webmasters are not even aware that their web site exposes them to SQL injection. Recently, there’s been a flurry ofactivity and news on the Internet about a large amount of SQL injection attacks that are being used to spread malware.
This particular form of SQL injection appears to have been done by a bot and it also appears that most of the sites were targetted by their page rank in search engines. Hah! Sometimes it pays to be the little guy. Anyway, there’s various mentions on the Internet on how to know if you’ve been compromised so I’m not going to go into that. What I would like to bring up is that this is NOT a Microsoft problem per se. It’s a problem with poorly written web applications, which one could possibly attribute to Microsoft for making development so easy but I don’t think that helps the situation. Microsoft did publically acknowledge this issue here and stated that it’s not a particular vulnerability with IIS or SQL (which is actually true). However, what they don’t state is that this is a developer education issue and people need to start taking responsibility for teaching their developers safe coding practices.
For those interested in learning more about SQL injection, check out the links I posted above. Also check out some of the SQL injection toolkits located here.
Finally, for information on how to combat SQL injection, here’s a few things that may help:
Scott Guthrie on Guarding Against SQL Injection
MSDN Patterns & Practices on How-To Protect Against SQL Injection in ASP.NET
One final thing: While most of this article talks about things from a Microsoft ASP/SQL point of view, SQL injection is not exclusive to Microsoft products and can occur on a variety of web and SQL platforms. Things just tend to get a bit more sensationalized when dealing with MS products.
Agree? Disagree? Let me know with a comment...