Earlier this year, there was a noticeable upsurge in the number of SQL injections attacks perpetrated against users of Microsoft technologies. SQL injection is common technique that exploits unfiltered entry fields on a web application. For example, let’s say you have an application that lets users enter their first and last name in separate entry fields on a web page. A typical user might enter Bob, Savannah, or Nguyen in an entry field. However, a malicious user might enter “Robert'); DROP TABLE students;--,” which would wreak havoc in the application. This type of attack is called a SQL injection attack because the attacker has appended, or injected, an SQL statement into the entry field.

Protect Your ASP and ASP.NET Applications

SQL injection attacks don’t occur on only SQL Server databases backing ASP and ASP.NET front-end applications; they can also occur on PHP applications with MySQL back ends and Java applications with Oracle back ends. All database platforms are vulnerable to SQL injection attacks. You can prevent such attacks by filtering entry fields on your web pages so that only allowable values are permitted.

Because of the upsurge in SQL injection attacks, Microsoft has published an important security advisory that points to the following three important tools that you can use with your ASP and ASP.NET applications to prevent SQL injection attacks:

  • HP ScrawlrThis free scanner utility can detect and identify whether your website is susceptible to an SQL injection attack. The utility crawls a website, analyzing the entry fields of each web page for SQL injection vulnerabilities as it goes. (Note that it doesn’t work against JavaScript, flash parsing, or POST parameters.)
  • URLScanThis security tool actively restricts the kind of HTTP requests that Microsoft IIS will process. URLScan isn’t a substitute for properly programming a web application, but it can prevent some potentially harmful requests from reaching the web application and SQL Server. It works on IIS 5.1 and later, including IIS 7.0 for Windows Server 2008.
  • Microsoft Source Code Analyzer for SQL InjectionThis command-line tool analyzes your static ASP source code written in VBScript (not ASP.NET) and reveals possible vulnerabilities to SQL injection attacks. The tool then generates a report detailing the vulnerabilities it detected and possible remedies.

Design and Develop Applications with Security in Mind

Although each of these tools can help prevent an attacker from penetrating and damaging your website and SQL Server database, none of them are as effective as designing and developing your application with security in mind. SQL injection is an old style of hacking websites, and it’s quite easy to prevent when value checks are written into the code from the beginning. For more information about preventing SQL injection attacks,I recommend reading "Hack Your Database Before the Hackers Do," May 2008, to learn more about how to protect your websites and databases from SQL injection attacks. MSDN also offers many articles on that topic.