A security researcher has identified a new attack that has infected almost 300,000 webpages with links that direct visitors to a potent cocktail of malicious exploits. The SQL injection attacks started in late November and appear to be the work of a relatively new malware gang, said Mary Landesman, a researcher with ScanSafe, a …
Just gonna quickly blackhole that domain before anyone finds out
SQL injection is easily prevented
if you parse your (PHP) input with:
$params['name'] = isset($_POST['name']) ? mysql_real_escape_string($_POST['name']) : '';
or if it's a numerical value you're expecting, even better:
$params['name'] = isset($_POST['name']) ? (int)($_POST['name']) : 0;
(use $_GET['name'] if you're passing parameters in the URL.)
And HTML injection is removed simply by:
$params['name'] = preg_replace("/\<.*\>/g", "", $params['name']);
Then you only work with the clean $params array. There's no reason any webmaster can't implement these most basic code checks. It's not rocket science.
It's not rocket science
True - and in the .NET world you can use urlscan.
But it becomes trickier when you're responsible for a large, complex web site with poor documentation (and, trust me, there are rather a lot of these). Retrofitting is non-trivial and you may also need to introduce security testing and change management processes to ensure that vulnerabilities are not inadvertently reintroduced.
- Vid Hubble 'scope snaps 200,000-ton chunky crumble conundrum
- Bugger the jetpack, where's my 21st-century Psion?
- Google offers up its own Googlers in cloud channel chumship trawl
- Windows 8.1 Update 1 spewed online a MONTH early – by Microsoft
- Interview Global Warming IS REAL, argues sceptic mathematician - it just isn't THERMAGEDDON