Over the last week, the big news in the IT world that crosses over to the mainstream media is the recent ID theft case. It does not surprise me that the group was able to steal so many credit card numbers, but it does surprise me how they accomplished it. They used a SQL injection attack to plant sniffers inside corporate networks. The surprising part is that these types of attacks are preventable with good defensive programming. Simply validating the input fields passed to the backend database is a good start. Or, how about using prepared statements or stored procedures on the database that force some validation. This will not be the last time that we hear of such an attack as long as developers are not thinking like a hacker when creating their web apps.
SQL InjectionTags: hackers, id theft, sql injection, sql injection attack
