SQL injection attacks are in the news again this week. More web sites were found to be carrying hidden threats that originated from a “new, stealthier, and more closely guarded SQL injection toolkit.” You can take a look at the details of the attack here. Sites have been infected and re-infected as administrators have failed to address the root of the problem, poorly-written code.

Because of my belief that education is important to the elimination of bad habits, I thought it would be a good idea to point our readers to some resources that will help them understand SQL injection and how to avoid it.

What is SQL injection?

The Wikipedia article on the subject has examples of the many forms of attack on SQL statements as well as samples of code to prevent them from occurring.

In Your Language

Using parameters in your SQL queries will eliminate most threats. Here are some useful links to learn how to use parameterized queries in your preferred programming language.

• VB .NET/C#: sample code using the SqlCommand object
• Java: using prepared statements
• PHP/MySQL: use MySQLi or escape all parameters
• ColdFusion: using cfqueryparam

This entry was posted on Friday, November 14th, 2008 at 5:46 pm by Mike Markiewicz and is filed under data protection. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.