There is another massive SQL Injection attack going around. This time hitting 180k ASP.NET websites. The article which I referenced has a decent write up on the actual attack and it links to a post which has detailed information about the attack. However the article on IT World gives some really poor advice on how to protect yourself from a SQL Injection attack.
There’s no easy way to fix the vulnerability of the database to this attack except to “harden” the database by applying all the patches and making all the security requirements consistent. Monitoring the database for unusual activity is important, too.
Patching SQL Server will NOT prevent SQL Injection attack, at all. The SQL Server isn’t the attack vector for a SQL Injection attack, the web application is the attack vector. By the time the SQL Injection attack gets to the SQL Server database (or any database) it’s too late.
SQL Injection is actually really easy to protect yourself from. Simply stop using dynamically generated SQL and instead start using parametrized queries (also called bound queries). That’s it, that’s the big secret. Yes I understand that writing your .NET code as parametrized queries is harder to write than just doing string concatenation and running the query, but getting your site attacked and putting malware on your customers computers because you didn’t want to do a little typing is just no excuse.
As this is a blog about my book “Securing SQL Server” here’s the sales pitch. In the book I talk all about how to use parametrized queries. It really isn’t that hard there is lots of sample code on how to do it. You don’t need to use stored procedures to use parametrized queries. You can do it with normal dynamic SQL as well, it works basically the same.
In case you didn’t get my point yet, parametrized queries are the ONLY WAY that you can 100% be sure that you are protecting yourself from SQL Injection attacks. If you can’t find some links on how to use parametrized queries here are a few links for you PHP, .NET, and more .NET.
Denny
Hi mrdenny,
I see in your article, that you stress the fact that parameterised queries are the “ONLY WAY” to protect from SQL injecttion.
Now this surely cant be true. But it has to be because you wrote it in CAPS.
This can mislead the uninformed. Can you perhaps support that statement with facts from reliable sources?
Thank you.
Given that any other method can be bypassed, no it isn’t misleading the uninformed. If the query isn’t parameterized the protection can be broken.