A serious SQL injection attack has injected a malicious iframe on more than 100,000 susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009.

Keep in mind that 99.9% of these attacks stem from poor coding. It very important to implore beginners (and some more experienced programmers) to code against them. In brief:

• Constrain Data, Check for known good data by validating for type, length, format, and range.
• Use type-safe SQL parameters for data access. Use parameters with stored procedures or dynamically constructed SQL command strings.
• Use a low-permission database account for data access.
• Hide data errors, don’t give clues at to what maybe acceptable to the database.

Now, there is a reason the items above look simple. They Are!

All we need are programmers that will listen and not take short cuts.