SQL Injection I recently posted about 500,000 sites having been subjected to SQL injection attacks. For the most part, these were old ASP sites. Frankly, I didn't realize there were that many ASP sites still in existence, let alone badly coded! However, both PHP and ASP.NET sites were attacked also. Let's be clear about this: we are talking about bad coding practices here and not about any specific security flaw per-se.

Apparently the saga continues; although I don't have exact figures, there was another rise in attacks in May. Suffice to say that Microsoft saw fit to release a security advisory (954462) on Tuesday, 06-24-2008. Microsoft also enlisted the help of HP to develop a free scanner, called Scrawlr, which can identify whether sites are susceptible to SQL injection. Microsoft also announced the availability of a SQL Injection tool; a static code analysis tool to help find SQL injection vulnerabilities in older Active Server Pages (ASP) code.

 * Microsoft Source Code Analyzer for SQL Injection Tool
 * Microsoft Security Advisory (954462)

You can find plenty of informative links on good coding practices by visiting these two sites, so I'm not going to repeat them here. There is no need for somebody to have a site that is this vulnerable. It's not about spending more money upgrading your version of ASP.NET; it's about employing responsible programmers. The tools mentioned here are basically stopgap measures to buy some time before implementing a more robust solution. What price your data?