I don't know if at the last Blackhat conference if they had some talk on how to do SQL injection attacks, but every since the last one I have noticed a huge increase in the number of attacks

I have been getting alot of SQL injection attempts on a couple of my websites. Hackers are using a new technique by passing variables within the querystring. I have my site setup to blacklist any IP that triggers a few little traps. The attacks seem to be coordinated, as they usually come in swarms. If you want to see if you have been under attack, open your log files and do a search for the string "EXEC("

I am going to post the IPs I catch on my blog for others to use. It would be nice if HostMysite would start up their own Blacklist that some of the more experienced programmers could all contribute to.

I have made a little write up on how to protect your site against these SQL injection attacks
http://blog.whitesites.com/protecting-against-SQL-injection-attacks-using-querystring__633544300378186168_blog.htm

well thats true , most of scripts are vuln of sql injection.

As predicted, the attacks against ASP and ASP.NET pages via SQL injection have continued. This time the domain name "winzipices.cn" is in the spotlight. It has managed to find itself in the source of over 4,000 pages according to Google.
------------------------
hennry

I've had problems too...

I have an ASP script that I include in any ASP page that accesses a database, and I've been good since...if you're interested in the script, let me know.

I've heard more hosts are incorporating hardware blocking mechanisms for things like this...is hostmysite going to follow this path????

I sure hope so....

The host isn't, and shouldn't be, responsible for bad coding practice. SQL injection happens because data is not validated and/checked properly. And since you're talking about ASP and ASP.NET, there's a great way to pretty much stop SQL injection dead in it's tracks...

Parameterized Queries.

Use them. Love them.

yes - I use them too...they are great...

However, I disagree with you as far as the hosting goes -

They sell hardware devices which protect against a whole host of attacks, SQL Injection only being a small part of the protection...

As more and more attacks become evident on the web, hosting providers should take needed steps to help protect their clients.....period.

There are vulnerabilities out there that can harm the server/database no matter what you code. This is what I'm talking about...

Thanks!

But SQL injection is not caused by a host-provided solution. It's caused by the developer. Why should the host be heald responsible for an irresponsible/unknowledgeable developer? This just doesn't make sense to me.

Vulnerabilities that are intrinsic of (what I consider to be) a host level application like a database server or email server are one thing. But SQL injection is a vulnerability brought on only by the developer.

Cross site scripting can EASILY be accounted for via server side by a function that's usually provided by the application servers native functionality.

I just don't get why a hosting provider should be held responsible for something that a developer writes.

How about this... instead of throwing the ball into the Host court, let's put it back into the developer court and send that sucker off to school

You're missing my point...

Can SQL Injection be avoided at the developer level? Yes - that much we agree on.

I'm not saying, nor have I ever said, that it's the hosting companies responsibility to prevent SQL Injection.

What I AM saying is hosting providers (which many are now doing) can install hardware devices that protect against many malicious things, malware, DOS, etc....if that same device protects against SQL Injection too, all the better....don't you agree?

Let's face it, it IS in the hosting companies best interest to protect their servers, databases, etc. If added measures can be introduced that help, shouldn't that be done? At this point the word "responsibility" really doesn't matter...

You know as well as I do that there will never be a day where all developers are 100% versed on best coding practices. To say "send them to school" is simply laughable. There are well-seasoned developers out there that had no idea what SQL Injection even was, until it happened. My point? You never know when the next hacking technique will flood the internet - you may be a great developer, but you're not immune to new attacks...

I think the reason a lot of hosts don't use it (granted this is pure speculation and not from a HostMySite.com perspective) is because the cost of deploying and maintaining such a device is expensive. Considering the cost of shared hosting and how cheap it is across the board, it's not cost effective I'd assume.

We just deal with SQL injection on a case-by-case basis. Besides, the device that would catch SQL injection isn't the best idea anyway because it still comes back to poor coding on the programmer's part. It's just a band aid solution that stops it for the time being. Plus it goes further to say that there's maintenance and constant upkeep of keeping the rules current to catch the injections, which leads to X man hours, and so forth.

The cost is likely the determining factor in most places; that's my guess.

Perhaps you're right...

But some hosts are doing it....

It's hardly a band-aid....would SQL Injection keep coming back? Sure it would...just like all the viruses....

....that's why we all rely on anti-virus...

...which eventually grew into anti-malware, anti-spyware, anti-everything....is this because of "bad programmers"????

You can sit there and argue, yes, it's bad programming, and that's why viruses can happen in the first place...but then you'd realize, that nobody, ....nobody..... writes perfect code. And that's why we all rely on other programs and devices to help fight the battle.

If that's cost prohibitive, that's ashame...I for one would be willing to pay a bit extra for better protection....but then, that's me....

You know, I've never found "but somebody else does" as an argument for anything. There are a hundred reasons why that reasoning often fails. The one point that can't be negated is that in order to truly account for most of the issues that you propose these devices would fix you really need to start at the root of the issue... the developer.

As far as it being in the hosts best interest to protect their servers, I want to remind you that when you subscribe to a hosting service that the host is void of responsibility for server uptime, health, data integrity, etc. This is for a reason... because you can't account for everybody's bad habits. Again, get back to the root of the issue.

I also find the reasoning of "You know as well as I do that there will never be a day where all developers are 100% versed on best coding practices." to be extremely flawed. Regardless of the abilities of their customer base, they are not responsible for those customers, their data, or lack of ability. Let's fix it at the root of the issue.

Virii and malware can USUALLY be tracked to bad judgement and behaviors regarding computer usage. Should all OS vendors start trying to account for all of the stupid things users do, or is it more reasonable to offer educational materials and opportunities to fix the problem at the root of the cause? I don't run anti malware, or a "top end name brand" anti virus program on any of my equipment. And I don't think that OS vendors should build antivirus/antimalware into their OS just because a majority of their target audience is inept to the proper usage of their software.

Usually the items that cannot be accounted for by developers are handled via routers, managed switching, etc. And I think it's silly to want to get carried away by placing the responsibility of bad development practices on a host.

I guess the two of us can agree to disagree, but rather than base my reasoning on made up statistics and assumptions, I like to base mine on facts. The facts that I have regarding the subjects discussed in this thread point back to one root cause in almost every case... the developer.

Josh - it seems like you can't agree to disagree.

I really can't express my point any more simply - a developer will never be able to have the knowledge to program 100% hack proof code, especially considering code is always changing, and exploits are adapting.... Therefore, a little extra protection can't hurt, whether it be hardware or software...

You're taking this out of context - I am not blaming the hosting companies. Period.

n'uff said.