Financial Services Blog from a Microsoft Technology Strategist
Brian Jackson, an Industry Technology Strategist on the Worldwide Financial Services team at Microsoft, offers his insights on financial services, with a focus on banking, at his blog -- http://blogs.msdn.com/bjacks/. His first posting describes how to avoid injection attacks against Microsoft SQL Server.
“I can't tell you how many times I've seen various data-driven sites fall over when I (innocently enough, I swear) enter text containing quotation marks. I wince every time I see something like:
Invalid syntax near '''.
This generally indicates that the code behind the site is concatenating strings in order to form SQL queries, and that the developer didn't properly safeguard against malformed input. Not only does this cause non-malicious queries like mine to blow up, it also indicates that the site is vulnerable to SQL injection attacks, which allow a malicious user to run arbitrary SQL statements against the database. This could be used for malicious DML, like:
SELECT CreditCardNumber FROM Customers”
