These types of problems are avoidable. While developers will always make mistakes, and SQL injection vulnerabilities won't reach extinction soon: their numbers can be reduced significantly. Applications just need be created properly, and in a way that vets user inputs and rejects obviously bogus field inputs and database requests.
A lot of companies, apparently, don't think it's worth the trouble. Some of the most notorious hacks and cyber-crimes have involved SQL injection attacks including Heartland and Hannaford. According to a report issued by WhiteHat security Inc., which evaluated the security of 1,031 sites, about 17% of Web sites were vulnerable to SQL injection attacks.
That's why it was no surprise when I read Kelly Jackson Higgins' DarkReading headline Hacker Hits RBS WorldPay Systems Database, to learn SQL injection was central to the incident:
The hacker, who goes by "Unu," says he accessed RBS WorldPay's database via a SQL injection flaw in one of its Web applications. RBS WorldPay maintains Unu accessed a test database that didn't carry any live data, and that no merchant or cardholder data accounts were compromised. The company has since taken down the pages.
[ . . . ]
"If the parameter is not well-secured, besides the legitimate request from the database -- which is related to that parameter -- other applications data can insert," he says. "The vulnerable parameter allows full access to databases on [the] server."
In addition to the SQL injection vulnerabilities, Unu also noted weak password usage on the site, including clear text publishing of an administrative password.
You can take a look at the screenshots Unu says are taken of the hacked RBS WorldPay database.
Earlier this year, the SANS Institute published a list of the top 25 security-related mistakes developers make. The list is based on a consensus gathered by 30 U.S. and international security organizations, including US-CERT, the NSA and several security vendors. SQL injection made the list. Let's hope organizations start to wise up, and stop making the same mistakes over and over again.