pageoneresults - 11:41 am on May 27, 2008 (gmt 0)

Can we be absolutely clear about what systems are infected here?

According to my Lead Programmer, no. I've got him reviewing this topic as we have an interest here. He's been dealing with sql injection attacks since the late 90s.

Here is some of the commentary I am currently having with him via IM...

the last comment on that is good. "note that cleaning your db table fields is only temporary, unless you clean up the way you query the database it will just be reinfected."

unfortunatley for mysql and most beginner sites are still using sql statement inside the asp/php scripts especially when mysql is free and designed for begining sites, and they don't offer stored procedures (or the advanced paid version only offers limited stored procedure options.

also, i'll need to check the latest mysql. they might have added a few more features. but the problem are most users prefer "Select * from tblUsers" than to create a stored procedure, set the parameters and call it. to them its additional steps.

btw, this issue can happen on any system (asp, jsp, asp.net, php) and any database (mysql, access, Mssql, oracle). it's always about best coding practices and knowing how to set the security. that's why dba gets paid $$$$$.

if walmart's database is down and the latest one they can restore is 1 hr ago. they're in huge trouble. that's several terabytes of transactions lost.