SQL Injection Therapy

Posted on July 2008 in Articles

A database-driven website can be a very powerful marketing tool. For one thing it can be used to maintain your website content so keeping it fresh e.g. with news and events. For another it can power complex searches, such as ebay and autotrader to name a couple.

Unfortunately there are people out there who will make money out of exploiting weaknesses in your website code in order to update your database with ‘malware’ and in doing so use your site for their own ends. Forget right and wrong. Most of us know that it’s impossible to police the internet, so while this is clearly wrong (and deserving of a seriously good hiding to the perpretrator), the only answer is to tighten up the site.

One of our customers had their site hacked into via SQL injection techniques, which basically exploit weaknesses in SQL code to update your database, in this case to append fields with script code which points the site user to various malware sites. As I discovered, it’s not just a matter of cleaning the database up, because once your site becomes a target, it will get hit over and over.

I won’t bore you with the details and solution. Microsoft are happy to explain the problem and guide you on that on their support site here. I tightened up database security as the main method of removing the problem. The site was temporarily blocked by google, but use of  our webmaster tools soon sorted this out. The site is now back up and running I’m pleased to say.

Let us know if you need any help dealing with sql injection attacks or any other help with website maintenance. Initial Advice as always is FREE.

Dave.

Leave a Reply

You must be logged in to post a comment.