Jun 022008

If you expose your SQL Server databases to the Internet via an application layer and you are the person that manages, writes, or supports the Web code, you need to read this:

From Buck Woody, Program Manager:

You might have read recently that there have been ongoing SQL injection attacks against vulnerable web applications occurring over the last few months. These attacks have received recurring attention in the press as they pop up in various geographies around the world. These attacks do not leverage any SQL Server vulnerabilities or any un-patched vulnerabilities in any Microsoft product – the attack vector is vulnerable custom applications. In fact, SQL Injection is a coding issue that can attack any database system, so it’s a good idea to learn how to defend against them.

In order to help you respond to and defend yourself from these attacks, Microsoft has an authoritative blog including talking points and guidance. You can find this at http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx.

Please read through the included link to the TechNet article. READ IT!

Steve Kass also talks about this in a bit more detail along with a sister vulnerability, the HTML injection: http://stevekass.com/2008/05/31/read-this-if-you-serve-up-web-pages-from-sql-data/