SQL Injection Attack

We had a SQL injection attack on 12/11.

 
They didn’t delete anything… but they did create a new table in the news database.  I looked it up and apparently they were trying out a popular script to see if it would work.
 
I’ve since updated all exposed parts of the site to have read-only access… so if someone does try to append SQL injection code then it won’t execute.
I need to scrub some SQL, but when I first tried replacing single quotes it messes up any single quotes from legitimate input boxes…

I don’t think I pissed anyone off… this script was probably just to see if it would work…


The new accounts should work fine… I’ve never had any intrusions on the .NET app, but the ASP apps seem to be a little more venerable.

I’m putting up a hardware firewall to close off ports, too…

Yeah, most of the form input stuff is cleaned… there are other ways to do a SQL injection (which I’m not going to post for obvious reasons). I was venerable by using the same full-access login for reading the database… now all public parts of the site use a read-only login. Hopefully that will stop any SQL injection attacks.

I’m not a security expert by any means, but limiting the access should nip that in the bud. Anyone who wanted to hack my SQL would really really have to know what they’re doing.

Alan is a web architect, stand-up comedian, and your friendly neighborhood Grammar Nazi. You can stalk him on the Interwebs via Google+, Facebook and follow his ass on Twitter @ocmodshop.