Microsoft offers advice on SQL injection

The attack method, in which a string of characters is used to compromise a page via an input field, has become an epidemic lately. SQL injection has been used to compromise hundreds of thousands of web pages and insert redirects to other sites hosting malware.

The attacks have raised particular concern because the vulnerability for infection exists in so many pages.

"These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database," said the advisory.

To combat against the attacks, the company has posted a series of best practice articles which explain how to secure SQL servers against attack. The company is also recommending a series of tools which administrators can use to check their source code and databases for possible SQL injection vulnerabilities.

Microsoft is not the only company taking action to educate users. Security firm Sans plans to offer a new class on defending against the attacks at its upcoming user conference.

Sans researcher Jason Lam said that the class will focus on such techniques as parameterized queries, which separate database commands from user input.

"To stop SQL injection at the root, we have to understand that SQL injection happens because the database cannot effectively distinguish between static portion of the SQL statement and the user input," Lam explained.

"If there is a way we can tell the database - this is static SQL statement and this is user input, SQL injection could be stopped easily."

Copyright ©v3.co.uk

adviceinjectionmicrosoftoffersonsecuritysql