Comments on: Skeleton key unlocks Microsoft SQL servers in latest Web attack

Security researcher tells CNET News.com that hackers have found a generic way to exploit Microsoft SQL servers in this latest mass attack of legitimate Web sites.

[Pete Bardo]

Typical Microsoft response to a problem, "That's not a bug, it's a feature!" They've been saying this for a few decades now--before internet, even before Windows!

But, really, web developers have to take some of the blame here. Saving data from an unknown source without validating or scrubbing? Who does that and why? Lazy programmers do it because, well, they're lazy. I happen to be one of the laziest programmers I know, but even I validate user input before saving it. I remove any and all javascript and in most cases remove all html code that could be harmful.

Oh, btw, I stopped using MS SQL several years back when mySql became a reasonable alternative. It may not be vulnerable to the same kind of injection, but I still validate and scrub all data before saving it to a database.

[Pete Bardo]

Typical Microsoft response to a problem, "That's not a bug, it's a feature!" They've been saying this for a few decades now--before internet, even before Windows!

But, really, web developers have to take some of the blame here. Saving data from an unknown source without validating or scrubbing? Who does that and why? Lazy programmers do it because, well, they're lazy. I happen to be one of the laziest programmers I know, but even I validate user input before saving it. I remove any and all javascript and in most cases remove all html code that could be harmful.

Oh, btw, I stopped using MS SQL several years back when mySql became a reasonable alternative. It may not be vulnerable to the same kind of injection, but I still validate and scrub all data before saving it to a database.

[Pixelslave]

I am continuously amazed by comments like the one above. After reading the whole comment and the article, it's fair to say that MS bashing in this case is just ... MS bashing. Even WhiteHat's CTO agreed that it's a feature -- what's the point of saying "Typical Microsoft response to a problem, 'That's not a bug, it's a feature!'"?

[gbrayjr]

Yeah, let's blame it all on Microsoft!!! Does the author and the rest of the world realize that half-decent entry-level coding practices can completely prevent this? Hmm.. probably. But that would mean passing on an opportunity to bash Microsoft and actually show some objectivity. Oh wait a minute... this is CNet... Yeah, it's an extra step to write sensible secure code. But let's just keep blindly blame Microsoft while we don't bother to validate our input before passing it off to our database. People get the internet they deserve...

[mighty_max_3]

also javascript and html are used in xss attacks and not sql inject attacks as the syntax is completely different for these attacks. Also no db software is inheriently secure. This attack may not work in MySql but that's not to say that MySql can't be sql injected as this comes from user commands originating from the code the programmer wrote.