main

Microsoft Puts Bull's-Eye on SQL Injection Attacks

Daniel Fleshbourne   on 25 June 2008 - 09:40 · 4 comments & 2927 views

Advertisement (Why?)
Microsoft is pushing freeware to help combat SQL injection attacks. Microsoft is promoting newly released freeware to help IT pros put up a fight against SQL injection attacks.

The release of the products comes at a time when news of legitimate Web sites being compromised by SQL injections has become familiar in the headlines. Microsoft announced these products' availability June 24 in a security advisory. Two of the tools, UrlScan Version 3.0 Beta and Microsoft Source Code Analyzer for SQL Injection Community Technology Preview, are the sole fruits of Microsoft. The third, a Web site scanner called HP Scrawlr, was developed by Hewlett-Packard's Web Security Research Group in conjunction with Microsoft.

View: The full story @ eWeek

Share this Article

About the Author

Full name: Daniel Fleshbourne
User name: Daniel
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

Post a comment · Send to friend Comments · There are 4 additional comments
(1 reply) #1 leo221 on 25 Jun 2008 - 16:11
so is sql injection detectable at compile time? what if the sql queries are generated on the fly? it would be nice if compiler can flag possible bad codes.
#1.1 +azcodemonkey on 25 Jun 2008 - 18:35
It should be detectable. The direct cause of injection attacks are dynamic SQL that isn't parameterized and no user input validation.

It is such an easy problem to alleviate that any developer caught writing bad code should just be canned/sacked right then and there.
(1 reply) #2 vetmarkjensen on 25 Jun 2008 - 18:57
Injection attacks are a user-created weakness, but often (albeit, unjustified) reflects in media reports as a vendor issue.

It is good that Microsoft is looking at helping users deal with this (though if I were a boss, I would take the more draconian approach and fire anyone who wrote crap code)
#2.1 El Sid on 26 Jun 2008 - 07:20
Firing someone is a little Draconian (sometimes :cheeky, but Like you said, Injection attacks are a developer created weakness, and a simple to avoid one at that. The web application I develop at work has a 5 line function to prevent SQL injection attack when we generate unparameterized queries, and how anyone can not do this is beyond me. The inconvenience of writing the function and a small amount of research can spare you a lot of headaches in the long run.

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.1020) © 2000 - 2008 Neowin.net