The vulnerability scanning vendors get raw data on the number of SQL injection flaws that are uncovered. If you just look at these numbers and not take authentication, user roles, and other contextual information into account, then yes you'd think the sky is falling. That said, I find lots of SQL injection flaws that are not exploitable given the context of the vulnerability. Many are false positives.
In over 10 years of testing Web applications using what I believe are some of the best tools available, I've only come across two situations where SQL injection was actually exploitable and truly meant something to the business. One was exploitable via an unauthenticated user and the other by trusted user who were logged in. I see many, many more issues with cross-site scripting, login mechanisms, and application logic that, in many cases, can be just as detrimental as SQL injection.
Here are some articles that might interest you while we're on the topic of SQL injection issues:
- Malicious code injection: It's not just for SQL anymore
Injection attacks are ubiquitous, and SQL injection is only one version of the exploit. S.P.I. Dynamics' Bryan Sullivan describes these attacks and how to prevent them.
- Blind SQL injection attacks explained
Most security professionals know what SQL injection attacks are and how to protect their Web applications against them.
Dig deeper on Software Security Test Best Practices
Related Q&A from Kevin Beaver
While Windows 8 does include Windows Fax and Scan, it doesn't create PDFs of scanned documents. Here are some Windows 8 PDF reader workarounds.continue reading
Microsoft's Sysinternals suite of free tools may not specifically support Windows 8 yet, but it is still very useful, even for admins supporting the ...continue reading
The Windows 8 UI hasn't won any popularity contests, but there are workarounds for it, unlike for Windows 8 Metro apps and Windows XP or Windows 7.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.