Thursday, July 03, 2008

What is a SQL inject?

A SQL Inject is akin to the worst kind of tagging and is yet another way that hackers make all our lives uncomfortable for no apparent gain to themselves!

A SQL injection attack - and I say attack because it is essentially an attack - consists of injecting (or inserting) an SQL query into the input field on a web application. An attacker can inject SQL commands into input fields, which may then execute against a database leading to database corruption or code execution on the server. These attacks are usually automated.

SQL injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. The newer programmatic interfaces available, such as J2EE and ASP.NET applications are less likely to have easily exploited SQL injections.

We consider SQL injection attacks to have a high impact on our clients websites and treat them seriously.

How we avoid SQL injection vulnerabilities
All our second generation Nautilus websites have been developed using .NET 2.0 and we avoid SQL inject attacks through the careful use of parameterised stored procedures.

Our older Nautilus websites are vulnerable and we are in the process of retrofitting these websites to repel attacks.

Microsoft Security Advisory article (954462) reported on June 25th 2008 that Microsoft is aware of the recent escalation in these attacks targeting websites that use Microsoft ASP and ASP.NET.

We are currently looking at further ways to secure our server with outside software that may
1. Scan for vulnerabilities
2. Provide protection for all websiteson our server

We'll let you know how we get on.

No comments:

Post a comment