SQL injection really bugs me. It is almost always the application developer's fault. Once you notice that a site's registration form breaks on apostrophes (maybe your last name is Irish) it's often a sign that you'll be able to throw in some SQL with that last name.
Penetration testing experts use a tool like Havij: An Advanced SQL Injection Tool. It's a nice friendly GUI designed to make it easy to "own" an application. Point, click, and compromise. Well, even though the project itself has nothing to do with evil, Cybercriminals are having a love affair with Havij.
My advice: download this tool and get to know it. Start your own love affair with Havij before the bad guys start throwing errant quotes into your form fields. Also don't think that enterprise languages like Java or .NET are invulnerable to SQL injection attacks. To avoid these attacks, here's some quick advice:
- Never trust input directly from an HTTP parameter.
- Use some web framework like Tapestry, GWT, or Struts, and make sure that all user input passes through whatever mechanism it is using for input processing and validation. It is very likely that the framework is built to resist SQL injection.
- Use a good ORM or persistence library like iBatis or Hibernate. Again these are just more layers to make sure that your input isn't going straight into a SQL statement.
- Use Nexus 2.0 Repository Health Check to make sure that your web frameworks and persistence frameworks are up to date.
Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.