Microsoft Best Practices for preventing SQL Injection Attacks

Posted Sunday, June 01, 2008 4:41 AM by hwaldron

Idea Microsoft has recently published a series of best practices to help developers build SQL code that is not susceptible to SQL injection attacks.

SQL injection attacks occur in applications that are poorly programmed. They are not a result of failures in the data base or supporting products.  When applications do not properly filter and control input data, there is a chance inputs can be manipulated, so that dangerous redirecting scripts may end up on the website

Once a web site is infected, the newly embedded script will then direct users to another dangerous website, that can automatically download malware on the user's PC.  While these attacks have been around for years, malware authors are now using newly automated approaches to find susceptible servers automatically and infect thousands of websites in a single day.   

IT developers have an inherent responsibility to protect the privacy and integrity of customer information. These articles are "must reads" for any IT developer, for greater assurances in building secure applications.

Microsoft Best Practices for preventing SQL Injection Attacks

Microsoft Security Vulnerability Research & Defense Blog - SQL Injection Attack
http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx  
 
Nazim's IIS Security Blog - Filtering SQL injection from Classic ASP
http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx 
 
Neil Carpenter's Blog - SQL Injection Mitigation: Using Parameterized Queries
http://blogs.technet.com/neilcar/archive/2008/05/21/sql-injection-mitigation-using-parameterized-queries.aspx 
http://blogs.technet.com/neilcar/archive/2008/05/23/sql-injection-mitigation-using-parameterized-queries-part-2-types-and-recordsets.aspx 
 
Michael Howard’s Blog -Giving SQL Injection the Respect it Deserves
http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx 
 
MSDN Article - Preventing SQL Injections in ASP
http://msdn.microsoft.com/en-us/library/cc676512.aspx 
 
Anti-Malware Engineering Team - When SQL Injections Go Awry, Incident Case Study
http://blogs.technet.com/antimalware/archive/2008/05/30/when-sql-injections-go-awry-incident-case-study.aspx 
 
A more general overview of SQL Injection attacks can also be here:
 
What are SQL Injection Attacks?
http://en.wikipedia.org/wiki/Sql_injection

Comments

No Comments