SQL Injection

I had cause to discuss this problem with a friend who manages Web Support for a commercial website recently.  He was amazed that with just a little bit of internal knowledge, the amount any former employee might have, he could literally wipe out the databases that support several of the key websites.

Security is not something that can be taken lightly, it simply isn't.  Some of the smartest people in the world are not employed by your corporation, or Microsoft, but rather they spend their time finding ways to make your life unpleasant.  Think I'm wrong?  Perhaps they are no smarter than their corporate counter-parts, but there are more of them than us.  They may be 14 years old, but that is irrelevant, as it should be in the corporate IT world, it is the knowledge, not age or degree that matter.

If you develop websites, or maintain websites, then I have a serious suggestion for you ... read industry press, and when developing code, always double check your input.  Always.  For Web Services, remember that any call could be unsafe user input, which really means that you should check data as part of EVERY COMPONENT you write, if you truly wish to be safe.

There is a pretty good article on how to do this in regards to SQL Injection here :
http://www.developer.com/db/article.php/2243461