A few months back I was running through a web server's log files looking for evidence of SQL injection attempts. Sure enough, I found it and installed some countermeasures to block some of the originating IP Addresses (or blocks of them). Sometimes I am even known to like to block entire countries that are known for activity that targets web servers. (That might sound extreme, but let me explain: If the bulk of your business is in an area that doesn't rely on international business, then it's not really a crazy idea.)
As I was discussing what I was working on with a co-worker that person said, "You're pretty crazy. I doubt we're a high priority on a hacker's list.
But, it's your job to be paranoid, I guess." And therein lies the problem. People assume that since they aren't a big corporation or a bank that they could never be a target for SQL injection. But, it doesn't work that way at all.
Web servers are targets of sports for hackers
365 days a year, 24/7 — and it doesn't mater whether you have one web server or a hundred; all a hacker is trying to find is an exploit. That exploit can be a page on a major bank website, or Grandma's Afghan e-Store; it's completely indiscriminate. SQL injection attempts are usually scripted attacks that play the law of averages; in other words the hacker may try ever IP address in a range, and if he can't get in, the script moves on to the next block.
So, just know that if you are running Microsoft SQL Server, you're on the list (until Microsoft actually admits that the database is the problem and stops blaming web developers' code). SQL Injections can happen in seconds and infiltrate an entire database. The next thing you know, your customers are clamoring that their machines were infected.
So, call me crazy. Call me paranoid. It's something you need to be at least a little hopped up about if you have a dynamic website.
About Tim Staney
has more than ten years (since 1997) of web development experience building enterprise-grade web applications for Fortune 500, small business and not-for-profit enterprises across the United States and Canada over a wide-range of industries. Tim specializes in information architecture, content management with a keen focus on user experience, and social media integration. Tim Staney
is a resident of St. Petersburg, Florida and active member of his community. Staney
regularly presents to professional and community groups, speaking on social media, social marketing, web content management and web strategy.
Tim Staney is a member of the American Marketing Association and <uwebd />, University Web Developers as well as the St. Peter's Episcopal Cathedral Communications Task Force. Tim is the Web Content Manager at St. Petersburg College working for the Marketing and Public Information department managing content in the college's Ektron content management system. Tim also teaches courses like Social Marketing for Small Buisness and Designing Effective Websites for St. Petersburg College's Learn to Earn program.
Except where otherwise attributed, the statements, thoughts, views and beliefs in this blog post are solely those of the author.