If you write any kind of script on the Internet be it ASP, ASP.net, PHP, PERL, Ruby, Python, anything that accesses a database then you should be aware of SQL Injection attacks.
This posting is going to reference two other blogs, one is the great Scott Guthrie’s blog (best damn blog on ASP.net on the Internet) and his post on Guarding Against SQL Injection attacks.
The second blog we’ll reference is Scott’s inspiration for his blog article, Michael Suttons blog and his work to see just how bad SQL injection is on the Internet. Michael did a quick google search and sampled something like 1000 websites and found that 11% of them were vulnerable to SQL injection.
Both blogs do an excellent job detailing SQL injection and providing links and references on how to fix your code and where to get more information on good coding security.
My addition to all this is that I’m going to add Secunia.com. Secunia.com provides a database of open and closed vulnerabilities for various applications and operating systems. Everything from Cisco to Windows is included here.
I get a constant stream of email updates from secunia.com and each day I get atleast one email with either a SQL Injection or Cross Site Scripting vulnerability being listed so I know firsthand just how widespread the problem really is. I did a quick search on their database for SQL Injection and it found 1288 applications that either had or have a SQL injection vulnerability. Folks, SQL Injection is a huge issue.
If you’re going to purchase a web application or install any sort of web application (PHPBB, OSCommerce, Storefront, aspdotnetstorefront, you name it) I recommend you search Secunia’s database first.