I attended an OWASP presentation yesterday in Silicon Valley, and was dumb-founded to learn that SQL Injection is still the #1 problem for web-applications in 2012. Not sure how many years it has been since OWASP put this on its list of Top 10 vulnerabilities - I definitely recall reading about it in 2005 - but hearing that this is still the #1 problem, is simply incredible.
The Java Enterprise Edition, IMO, has the optimal architecture to permanently eliminate this problem: the web-form talks to the servlet, the servlet hands over the form-data to a stateless session-bean, which, based on the parameters it parses and validates, calls the appropriate entity-bean to execute the OQL query and hand the results back to the SLSB. Even if the attacker was clever enough to get past the data-validation in the SLSB, what can an attacker do with SQL embedded inside an OQL parameter?
Does the book recommend ways to eliminate this problem once and for all? Even if business executives are idiots who do not provide sufficient time/resources to get the job done right, I would imagine books and experts should have spread enough information by now, to make a SQL Injection vulnerability a career stigma for any programmer. TIA.
I did not have room to add several recipes I had on prevention.
But I also was surprised at first about how SQL attacks are #1.
One report I found was that not only are hackers stealing data or gaining access to a system through sql injection, some people just want to destroy a system such as mass deletion of records which will bring your application down.
There are several tools that can you can run against your own application to test for vulnerabilities.