Hi all
Funny enough we had a panic session with our apps re sql injection attacks along with cross scripting problems. Generally speaking here, its the tardyness of developers thats the issue. I come from an old school developer background where our C development lecturer (ex-military) would knock off assignment marks quicker that a rabbit on fire without correct parameter validation. People get sloppy (copying and pasting existing code is a classic) and worse still, a small startup.com app (probably like petco.com), that turned from a small app with 2 users into 500k users and big $ turn over, never to review that old code that had inline SQL in their ASP's!
The comments from petco were funny re not finding any other evidence, of course, most of the db ops that can be done wont be tracked via the webserver logs (esp if they were hex encoded).
Another thing with credit cards, why arent they being encrypted ? strange.
Cheers
Ck
Chris Kempster
Author of "SQL Server 2k for the Oracle DBA"
Chris Kempster
www.chriskempster.com
Author of "SQL Server Backup, Recovery & Troubleshooting"
Author of "SQL Server 2k for the Oracle DBA"