If you can't prevent this in your application, you need to think about upgrading your skills.

One milly-yon sites hit by a SQL Injection attack. That happened according to a headline I saw recently, with an attack similar to Lizamoon affecting seven figures worth of ASP.NET sites. How can this still be happening on large scales? I’d like to think that this was mostly at small sites that people had set up for themselves, but I’m sure some decent sized companies were involved in this.

This isn’t good for your brand as a developer. If you don’t know what SQL Injection is, you shouldn’t be developing software. If you don’t know how to code to avoid it, you shouldn’t be hired by anyone to build software. If you can’t write a stored procedure around a query or built a parameterized call to a database engine, you need to learn how or find another career.

It’s sad that years after we’ve had the SQL injection problem make headlines, and change the way many companies write software, we will have thousands of applications being used every day that are still vulnerable to this type of attack. There is a lot of old code out there, but it can’t remain. We are regularly adding new data to our systems, and new data to applications. There’s no excuse for companies not making a complete review of older code and updating it to avoid unvalidated input or passing through queries that could be hacked.

Educate yourself, save these headlines for your boss, and ask that no new applications, including third party ones, be purchased if they haven’t updated the code to prevent SQL Injection attacks.

Steve Jones

The Voice of the DBA Podcasts

• Watch the Windows Media Podcast – 15.3MB WMV 
• Watch the iPod Video Podcast – 11.4MB MP4 
• Watch the MP3 Audio Podcast – 2.7MB MP3