Not administrator's fault
Actually this is not due to bad admin procedures or a sql server open to the internet:
A SQL injection attack works as follows: you find a script which accepts parameters...which is used to query a database.
You then call that script directly with *
SQL commands in the parameter*.
For instance, if the parameter was ?surname=Jones, then you can be pretty sure the script will run a "where surname='jones'..." query...and this is where you attack: by adding SQL to the parameter for instance:
?surname=jones;insert into table ('email') values ('java script to execute')
The script will now update the table and next time a surname is read and displayed, a java script will execute.
Nothing the hostmaster or sysadmin can do about this - it's a developer problem.
Specifically, a developer should ALWAYS check the validity of his parameters before he runs a query to the database. A simple way to do this is to:
- truncate at a reasonable length (ie a surname should not be longer than say 55 chars)
- replace quote signs with " ` "
- replace escape chars such as "--" and ";" with something else
- replace spaces in the input with something like or _
in principle, accept and store the data in such a way that a valid SQL command cannot be formulated.
Now consider that every script that accepts input parameters used to query a database has to be sanitized as above....

(
For more detail, here is a good article on SQL injection:
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
Regards
Waldo
www.cozahost.com