Security: mass SQL injection hack

I’m starting a couple new departments on the blog today. The first, the Security department, is going to be posts about computer security concepts and events as I attempt to educate myself about the field. I’m kicking off the department with this story about a mass SQL injection attack that recently hit more than 70,000 sites (via Slashdot That’s a lot of compromised sites, but the really astonishing thing is the vector that was used to do it.

SQL injection—putting database command language into a system as user input or command parameters so that it is executed in a remote system—isn’t a new attack vector. It’s been around since at least 2004, when it was used to deface the Dremel website. It’s also a fairly well understood attack—if you can explain a security vulnerability in a comic strip, you have something that developers should be able to figure out how to avoid.

So why are these vulnerabilities so widespread? One reason may be the ease of web development and its separation from more structured programming disciplines. It’s second nature to a well educated developer to sanitize inputs; self-taught scripters (PHP, ASP, whatever) may not have been exposed to the importance of this principle.