Microsoft offers advice on SQL injection

SQL attacks are becoming a major threat

Microsoft is offering administrators and developers advice on preventing SQL injection attacks in the face of mounting threats.

The attack method uses a string of characters to compromise a webpage via an input field.

SQL injection has been used to compromise hundreds of thousands of web pages and insert redirects to other sites hosting malware.

The attacks have raised particular concern because so many pages are wide open to infection.

"These SQL injection attacks do not exploit a specific software vulnerability, but instead target sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database," said the Microsoft Security Advisory.

The company has posted a series of best practice articles which explain how to secure SQL servers against attack.

Microsoft is also recommending a series of tools which administrators can use to check their source code and databases for possible vulnerabilities.

Microsoft is not the only company taking action to educate users. Security organisation Sans Institute plans to offer a new class on defending against the attacks at its upcoming user conference.

Sans researcher Jason Lam said that the class will focus on such techniques as parameterised queries which separate database commands from user input.

"To stop SQL injection at the root, we have to understand that SQL injection happens because the database cannot effectively distinguish between static portions of the SQL statement and the user input," Lam explained.

"If there is a way we can tell the database that this is static SQL statement and this is user input, SQL injection could be stopped easily."