This article was contributed by guest blogger Tim Kulp.

In 2008, SQL Injection attacks were up 134% from 2007 according to IBM’s X-Force report (http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf). Previous years have seen Cross Site Scripting as the main attack vector but this year hackers went for the web application’s jugular by attacking the very data foundation of the system. 

SQL Injection attacks occur when a user placing SQL commands directly into the controls on a web page, like a textbox. These commands tell the database to do something other than the action intended by the developers. An example SQL Injection would be to delete all the rows in a table, return schema information about the database or access data such as user information. Crafty attackers can even use SQL Injection as their initial attack method but then snowball the attack into a collaboration of Cross Site Scripting (XSS) and Clickjacking. When you examine the possible damage done by a SQL Injection, the outcomes can be frightening.

The good news is the SQL Injection attacks are easy for developers to defend against. The first and most simple protective step is to use Stored Procedures to call the database instead of direct SQL statements. Instead of dynamically building out a SELECT statement with dynamic WHERE clause, use a Stored Procedure with parameters. Another measure to stop SQL Injection, and perhaps the most important one, ALWAYS validate the data that is coming into the system. Many development frameworks have Anti-SQL Injection capabilities such as the ASP.NET Regular Expression validator control and the Custom Validator control. Check incoming values for SQL comments or key words such as DELETE, CREATE, DROP, etc… Remember, check more than your textboxes when validating. Hackers will not use the site how you expect them to and will craft their own HTTP POST messages to force values that are not possible using your site.

When in doubt, try SQL Injection on your own site or hire a contractor to check your site for you. There are many automated tools on the web that will check for SQL Injection flaws in a site and many of them are free. In the end remember, validate requests, use stored procedures and log every action that is coming into and out of your data store.

Web applications are currently the hot targets for hackers. With SQL Injection being a popular and easy attack, developers must make sure that they are protecting their sites. Being aware of threats and proactive in securing your site will reduce your attack surface leaving the developers, users and business happy and safe.