I find it frightening that SQL Injection is still making the headlines. Back in 2000 we wrote a library for our ASP sites that took care of this. Yes, I said ASP. How is it that 10 years later this is still such a problem?

If you don’t think it’s an issue, check out this list of recent SQL Injection attacks, which includes the largest case of identity theft known in the US.

So what’s causing this, who’s to blame? In my opinion, it’s the developers, and the people who hire and perpetuate the use of such developers. Excuses of time, budget constraints, or my boss made me do it don’t ring true for me. First of all, there are enough libraries and frameworks out there that make SQL Injection a thing of the past and a simple fix. I primarily use Rails for my web applications, and I’d have to try really hard to expose a SQL Injection vulnerability. And when there is a case in which using a database persistence library is a no-go, I spend the time to abstract out the persistence layer myself and include sanitization on all the inputs.

I would never trade such basic security measures for time or budget constraints, and if a client or employer ever asked me to do so, I’d explain that things could take an extra week or two now, or you could expose all of your valuable data for theft and destruction. In reality, such a discussion would not even come up, because the SQL abstraction and sanitization would be built into the timetable from the get-go, and is always non-negotiable.

So usually it comes down to the developers, the ones writing the code. In my experience, it usually comes from ignorance or laziness. On the ignorance side, sometimes you’ll find a developer who has always just “gotten by” as a programmer and their depth of knowledge doesn’t pass much beyond the basics they learned years ago, which includes writing SQL statements in their web pages. On the lazy side, it’s the pass the buck mentality. Arguing that time and budgets constraints are the cause is really an excuse for not doing your job as a developer, which includes educating business owners as to what needs to be done for a working and secure system.

Some of the blame does lie with those people hiring the ignorant and lazy developers though. In the end, you get what you pay for. We need to understand that software programming is becoming an ever more vital part of our society. It’s the foundation upon which much of our current civilization runs. That’s not something you outsource to the lowest bidder.