Ryan, our Technical Director here at AMHosting.com showed me a video of a forklift driving off the receiving dock. It was posted on digg.com. I remembered that I had a video that our video software recorded at the surveillance company I used to work for. I had never posted it on Digg, but though this is a good addon now that we are talking about fork lifts. From what I remember, the guy tried to run away as if he did not do it.  Those are lemons that you see.

Recently, we had a customer who kept saying that his site was hacked and his server was not secure.  We looked at his clams very seriously and researched as hard as we could. We could not find any possible way that the server was exploited and there really was nothing wrong.

The customer insisted that we had an issue.  Somehow, his whole database was hacked. 

After a long extensive search, we found out how people were getting into his website.  They were using a very old tactic of "SQL injection".   SQL injection is actually very clever, and its totally what programmers and hackers both know.  A typical person would not know what SQL injection is because its not a typical input you put into a web form.  He recognized that it was not our fault, but instead his programmers fault .

A PERFECT example of this is located on Wikipedia.com.  I actually have used their example to prove if a site is exploitable.  Usually you just put in code like this:

a' or 't'='t 

into a username and password field and click login.  If the site is vulnerable, you may just login to the account.

Anyhow, there is a quick and simple fix for this.  When you take data from the end user, you just need to escape the values.  The single quote is the culprit for most SQL injections.

My solution in the past has just been to do a replace on all ' to '' (that is two single quotes).  SQL will take that input and make it a single quote in the database.

ASP example:  Replace(userInput, "'", "''")   or in .Net   strInput.Replace("'", "''");

I decided to write about this today because of a funny picture found on xkcd.com (http://xkcd.com/327/).  Here is the picture:

When I put this up as my signature on one of the message boards I run, people commented that the picture was very funny, even the non-techies thought it was.   I then realized that some of the code I wrote 7 years ago was vulnerable.   I even had another website of mine hacked due to this. Old unmaintained code sucks to go back and fix.

I hope the helps understand SQL injection a little more. It is still very common and MANY MANY websites on the internet are still vulnerable. Dont let your website get hacked because of this.