Secure SQL Server from SQL injection attacks

July 2, 2008 – 6:20 AM

SQL injection attacks are probably the most common way for hackers to strike Internet-facing SQL Server databases. No matter how secure your network is or how many firewalls you have in place, any application that uses dynamic SQL and allows for unchecked user input to be passed to the database is at risk for a SQL injection assault. Recent reports on Web hack attacks show SQL injection attacks are on the rise and lead not only to data theft and data loss, but in the most recent string of automated injection attacks, databases were compromised to serve malicious Java script code to customers. The infiltration causes Web servers to infect the client computer with another virus. Reports vary on the number of websites that have been compromised, but even the lowest of the numbers is still in the hundreds of thousands, and at the peak of the infection, they included sites like the United Nations.

Before you go jumping off the SQL Server platform because it’s not secure, the truth is all database platforms suffer from this attack vector. Attacks against SQL Server are simply more common because there are more SQL Servers deployed in hosting environments. Developers – who don’t know how to protect against these kinds of strikes – are developing the Web pages. Because of the high success rate, this sort of attack is very popular with the malware community, and as a community, if we can remove the hackers’ ability to launch these attacks, our sites will be protected and the attackers will move on.


You must be logged in to post a comment.