I’ve been working with the SWI team to write a comprehensive overview of the SQL Storm attacks with guidance for IT administrators, developers, and end users. That article is posted at sql-injection-attack.aspx. For developers, specifically, Bala Neerumalla has written an excellent overview of SQL injection and classic ASP code for MSDN at cc676512.aspx. This is…
Month: May 2008
SQLInjectionFinder
My colleague Greg, who has forgotten more about command line scripting than I will ever know, put together a sample on CodePlex that automates finding SQL injection attacks from the ongoing mass SQL injection attack ("SQL Storm", as I saw it dubbed today). This is a fairly convenient approach to searching logfiles on an IIS…
SQL Injection Mitigation: Using Parameterized Queries part 2 (types and recordsets)
(Part 1 is here) Previously, I provided a simple example of using parameterized queries in classic ASP; however, that sample lacked a few things such as explicit typing for the parameters. It also created a read-only ADODB.RecordSet which, obviously, isn’t one-size-fits-all. Typing In the last installment, we had worked up this code to do our…
SQL Injection Mitigation: Using Parameterized Queries
Michael Howard wrote an excellent article yesterday on how the SDL addresses SQL injection. He walks through three coding requirements/defenses: Use SQL Parameterized Queries Use Stored Procedures Use SQL Execute-only Permissions As Michael points out, only the first, parameterized queries, remedies the problem. The other two provide additional defense. The good news is that changing…