I hope that SQL Injection becomes a disease of the past at some point in the future, one that is eradicated from the world except for very rare, isolated cases. However that’s not the state of the world now, and probably not what we’ll see anytime soon. I don’t often see large scale attacks, but I wasn’t surprised when a piece from Denny Cherry appeared recently.
What was disconcerting was the attack he referenced, which was automated and self-spreading, but injecting code into hacked sites that more and more users would end up with code that joins their system to a botnet.
What’s worse? Most virus detectors didn’t pick up the code.
What’s really, really bad? Bored hackers, criminals, or anyone else could get details of the exploit on the Internet and start searching for injected machines they could easily alter or take control of in their own creative way.
In Denny’s piece, he gives advice that’s easy to follow, and shouldn’t delay development time. Most developers could easily build templates to use when writing queries, or formatted the parameterized queries. Not doing so is laziness or ignorance, and it’s dangerous.
It’s 2013. I’d say that if you write code after today that’s susceptible to SQL Injection, you ought to be fired. Plenty of people would argue that if you’ve written code in the last couple of years you should be let go, but I’m offering amnesty. Go buy Denny’s book. Go read about secure coding. Learn how to write code that doesn’t make this kind of attack easy.
Video and Audio versions
Today’s podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.