SQLServerPedia

This is hot of the presses. Here is the full article. They start off pointing out, once again, that this due to bad coding practices. And, well, it is.

What I find interesting is the "Suggested actions" section. It contains 3 utilities. "Utilz" for you hackers.

• HP Scrawlr - a free scanner which can identify whether sites are susceptible to SQL injection:  Finding SQL Injection with Scrawlr at the HP Security Center.
• UrlScan version 3.0 Beta - UrlScan version 3.0 Beta is a Microsoft security tool that restricts the types of HTTP requests that Internet Information Services (IIS) will process.
• Microsoft Source Code Analyzer for SQL Injection - A SQL Source Code Analysis Tool has been developed. This tool can be used to detect ASP code susceptible to SQL injection attacks. This tool can be found in Microsoft Knowledge Base Article 954476.

So get to work! A little proactive will save a lot of clean up if you get hacked.

From the database side, these .cn guys are appending text to every row to every "string" type column in every table in every database they can get to. Sometimes the injections fail just due to disk space! If preventing this is not high priority for the Dev's and IIS Admins that manage app's that touch your db's, you should make it so.