Preventing SQL Injection is not enough

A customer said today that they are using stored procedures so unless I knew of any other SQL Injection risks then they thought that was enough.  The truth is that the answer is that this is true in most people’s minds.  The problem is that this common mindset is exactly the kind of thing that aids hackers.

While using stored procedures or parameterized queries or any of the other methods to thwart hackers is not only highly recommended, but also an absolute requirement, I don’t feel it is enough.  We are treating the symptoms, not the disease.  If a hacker fails in their SQL Injection attack because of these measures then great, but we haven’t prevented them from trying something else.

Think about having the application try to detect such attacks even if you are impervious (which you probably aren’t in my experience) and when you detect this kind of attack then do something to hinder the hacker.  Close their session, ban their host, crash their browser, whatever you can do to make it harder for them to move to the next step of their attack will ultimately help you.

I will discuss this topic more in future posts as I think there is alot left to say on it, but for the moment look at your existing web application in this light and see what you come up with.