SQL Injection is still a big issue…

I just thought I’d pass on this story…

One of my friends has been running an Internet business for many years. It started as an ASP website against an Access database. At the time Access didn’t support bind variables, so all the SQL was written using literals concatenated into the SQL. This didn’t present much of a problem as nobody ever talked about SQL injection in those days…

Over time, the site progressed and moved over to SQL Server. Unfortunately, none of the code was revised to use bind variables, still leaving it wide open to SQL injection attacks.

I got a mail from my friend this morning telling me his hosting provider has turned off his site because it’s getting battered by hackers. I guess the only thing I can say is he’s been lucky for the last 10 years. I could have happened any time during this period…

This post isn’t a criticism of the security of any particular database engine, scripting language, application server or browser. It’s merely an observation that there are still plenty of public websites out there that have gaping SQL injection holes in them, not due to the underlying technology, but due to sloppy programming.

It’s easy to get caught up in the security ratings of our infrastructure and forget that one dodgy SQL statement can give people the key to the door.

Let the paranoia commence… 🙂

Cheers

Tim…