News

Who's to Blame for SQL Threat?

SQL injection attacks stir up concerns over weaknesses in databases and coding practices.

Database developers have found themselves in an unwelcome spotlight in recent weeks, thanks to reports that the latest SQL injection exploit may have impacted hundreds of thousands of sites running Internet Information Services (IIS) and SQL Server.

According to various reports, these attacks occur after a hacker injects malicious JavaScript code into the actual database server, which in turn can insert or create one or more malicious scripts that can wreak havoc on the computer of a user visiting the offending Web site. That led the United States Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security, to advise end users to disable JavaScript and ActiveX controls and to practice good patch management.

There are no new vulnerabilities in SQL Server or IIS, wrote Bill Sisk, a communications manager for Microsoft's Security Response Center, in a blog posting. "To protect against SQL injection attacks the developer of the Web site or application must use industry best practices," Sisk wrote.

Blame Game
So is Microsoft passing the buck by blaming developers? Many are pointing out that while SQL injections can be extremely destructive and costly, any database left vulnerable will execute anything it determines is valid SQL-be it SQL Server, Oracle, IBM's DB2 or others.

"To suggest that the database vendor should somehow know and choose which SQL should or should not be executed, outside of security and data quality constraints, is way out of bounds," says Wayne Snyder, president of the user group Professional Association for SQL Server (PASS) in an e-mail. "It would be great if all software could do what we intend, instead of what we say."

Snyder, who's also a managing consultant at Mariner LLC, a Charlotte, N.C.-based consultancy and Microsoft business partner, believes threats like this are universal.

"I can't recall the last time I saw any software which spent any effort at all in denying this kind of attack," he adds. "Lack of money, lack of time, lack of interest, difficulty in deciding what to do-all contribute to the fact that most apps and programmers don't defend against this."

Changing Priorities
Will this latest exploit be the one to lead IT organizations to put more priority-and money-into secure coding practices?

"Unfortunately many discussions and project plans don't even have this as an item on the risk assessment," Snyder notes. "The sad truth is that we, as developers, DBAs and project managers, are left holding the bag on this-because it's our bag!"

About the Author

Jeffrey Schwartz is editor of Redmond magazine and also covers cloud computing for Virtualization Review's Cloud Report. In addition, he writes the Channeling the Cloud column for Redmond Channel Partner. Follow him on Twitter @JeffreySchwartz.

comments powered by Disqus

Featured

  • .NET 11 Preview 6 Roundup: ASP.NET Core, MAUI, C#, EF Core and SDK Updates

    Microsoft's sixth .NET 11 preview advances async validation, C# unions, cross-platform UI controls, database queries, testing tools, Native AOT and container images.

  • Low-Coding in the Age of AI: Dataverse Embraces Copilot, Claude and Cursor

    Microsoft is extending Dataverse into coding-agent marketplaces while expanding its MCP tools, certification program and governance controls.

  • Visual Studio Takes Aim at Copilot Billing Shock

    Beyond Copilot usage visibility, the June update delivers several other enhancements centered on AI-assisted development, security and quality-of-life improvements. Here's a quick rundown of the remaining additions announced by Microsoft.

  • Claude AI Gets Yet Another Boost in VS Code 1.128

    The July 8, 2026, Visual Studio Code update expands agent workflows, chat attachments, browser-tab controls, OS-level shortcuts and enterprise telemetry management.

Subscribe on YouTube