Over the course of the last few weeks we have seen an escalation in SQL Injection attacks. This is a huge topic, this is not something new that has just snuck up on us. It has been around for some time now. I am not sure this is even a problem with SQL Sever so much as it is an issue with not following best practices. Microsoft takes a beating on the news groups and in the press about security, but we have to use the tools that have been given to us they way that they were intended. Let’s look as SQL Server version 7.0. By default the sa password was null, you could change it but it was not forced upon us.
The end result is that SQL Injection is the result of web pages not using the best practices. Many pages were developed over the course of time that will have vulnerabilities because it was easier and faster to design the page that way. When we started to become more and more aware of how these attacks work, we spent time trying to put the band aid on our pages instead of going back to the best practices. These may sounds like harsh words, but really I have had to have conversations with developers on why they should not use sp_ in front of the stored procedures they write.
I am not sure if we are seeing more of these because school is out. I have heard that theory, but I am not sure I buy into it. The latest SQL injection is passed as hex, so most of the web pages that look for SQL keywords or single ticks are going to miss this one. The end result is that the way that we need to fix this is by going to stored procedures, validating our inputs and sticking with the best practices.