Only you can prevent SQL injection attacks, Microsoft Security says

UPDATE 6/25: Microsoft has decided to be helpful on the issue of SQL injection attacks. It released a tool today that it says will analyze code to help Web programmers identify problems that leave them vulnerable to this attack. The Microsoft Source Code Analyzer for SQL Injection tool has been released for Community Technology Review. 

POSTED 6/24 

The non-stop onslaught of SQL injection attacks against Web sites using Microsoft ASP and ASP.NET technologies has prompted Microsoft Security to once again issue a "not our fault" advisory today. It says:

"Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine."

The above advisory may have been in response to (or in conjunction with) today's post from the SANS Internet Storm Center discussing methods to mitigate/prevent SQL injection attacks against ASP. The post, written by Jason Lam, says:

"A lot of our readers are scrambling to find fixes for their applications. ASP is an older generation Web scripting language would require a bit more work to prevent SQL injection from happening. One of our readers, Brian Erman, has written a function to filter out the SQL keywords and also escape some the metacharacters in SQL to prevent SQL injection from happening."

These attacks work because the Web application is not doing a good job of recognizing the bits of data that a user inputs which can be malicious. A better method, Lam says, is the "parameterized query" which allows the database to distiguish between the static SQL statement and the user input.

Go to the Microsoft Subnet home page for more news, blogs, podcasts. Microsoft deleted interoperability documents, Feds accuseHow much would you pay to get your virtual gold back? Red Hat untangles itself from Xen New SharePoint tools arrive from FAST acquisition20 great Windows open source projects you should get to knowSix free security tools you shouldn't live without

More Microsoft Subnet blog posts:


Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022