Microsoft offers advice on SQL injection

By

In the face of mounting attacks, Microsoft is offering administrators and developers advice on preventing SQL injection..


The attack method, in which a string of characters is used to compromise a page via an input field, has become an epidemic lately. SQL injection has been used to compromise hundreds of thousands of web pages and insert redirects to other sites hosting malware.

The attacks have raised particular concern because the vulnerability for infection exists in so many pages.

"These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database," said the advisory.

To combat against the attacks, the company has posted a series of best practice articles which explain how to secure SQL servers against attack. The company is also recommending a series of tools which administrators can use to check their source code and databases for possible SQL injection vulnerabilities.

Microsoft is not the only company taking action to educate users. Security firm Sans plans to offer a new class on defending against the attacks at its upcoming user conference.

Sans researcher Jason Lam said that the class will focus on such techniques as parameterized queries, which separate database commands from user input.

"To stop SQL injection at the root, we have to understand that SQL injection happens because the database cannot effectively distinguish between static portion of the SQL statement and the user input," Lam explained.

"If there is a way we can tell the database - this is static SQL statement and this is user input, SQL injection could be stopped easily."
Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk
Tags:
adviceinjectionmicrosoftoffersonsecuritysql

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?