A lot of the attacks I have seen have also been on systems that have been around for quite a while. They’re working fine so no-one is looking to upgrade them. But they were often built with coding techniques that are now considered inappropriate. It’s hard to give them a hard time though, as many of those coding techniques were used as examples of how to do things before the whole SQL Injection discussion started in earnest. For example, a quick look at the coding in the old Microsoft courses would make you shudder today.
Regards, Greg From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On Behalf Of David Connors Sent: Wednesday, 1 September 2010 1:47 PM To: ozDotNet Subject: Re: [OT] SQL injection attack vectors On 1 September 2010 13:38, Sam Lai <samuel....@gmail.com> wrote: Out of curiosity (it isn't Friday yet, but close enough) - does parameterized SQL render all SQL injection attack techniques useless? Yes, with the single (AFAIK) exception of particularly special people who take the input on the stored procedure side, assemble it into dynamic SQL, and then EXECUTE @Statement it in T-SQL. If so, why do we still hear of successful SQL injection attacks, particularly in relatively newly written apps? People do not think about quality or maintenance. A lack of education/knowledge, ignorance, the curse of PHP developers... I would not single out PHP developers for this. -- David Connors | <mailto:da...@codify.com> da...@codify.com | <http://www.codify.com> www.codify.com Software Engineer Codify Pty Ltd Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 189 363 V-Card: <https://www.codify.com/cards/davidconnors> https://www.codify.com/cards/davidconnors Address Info: <https://www.codify.com/contact> https://www.codify.com/contact