IBM recently reported in its X-Force Threat and Risk Report that SQL injection attacks jumped 134 percent in 2008 compared with 2007. In addition, exploitation of vulnerable websites increased from a few thousand per day in early 2008 to hundreds of thousands of attacks per day by the end of 2008. Moreover, these attacks differed from the typical one-off targeted attempts to steal data or manipulate applications; instead, these mass attacks often used automated SQL injection to exploit websites by redirecting users to malicious sites. A major culprit in these attacks was the Asprox botnet, originally used for phishing but now used to add iFRAMES to legitimate websites' backend data and thus open the sites to exploitation. According to the IBM report, "these automated attacks highlighted the high number of websites vulnerable to SQL injection and [illustrate] that secure development practices will go a long way in effectively mitigating these attacks."
The following SQL Server Magazine and Windows IT Pro resources can help you protect your organization against SQL injection attack: