Since SQL Injection appears to be a topical issue on the list at the moment Cheers Ken ------------------------------------------------------------------------------------------------------------------------ From: MSRC-MVP On Behalf Of Zot O'Connor Sent: Saturday, 31 May 2008 2:45 PM To: MSRC-MVP Subject: Blogs on SQL injection. We have posted a round of blogs to help people with the SQL injection attacks. The articles are nothing earth shattering, but we wanted to collect the information that is out there to help end-users, and to give a single place for people to point to help navigate the various KBs and articles. We also tried to fill in the missing gaps we saw in combating the problem (Classic ASP was #1 request). We have targeted detection/prevention at the various layers (client, web server, web app, DB). All of these are new article in the last few days. Expect more over the next few weeks. We are trying to reflect the feedback I received from my inquiries earlier this week. Please feel free to keep sharing. Please feel free to links, forward and comment on these articles. Any feedback you have, please send to me as well. SWI Blog: http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx IIS blog: (Classic ASP a big request I received) http://blogs.iis.net/nazim/archive/2008/04/28/filtering-sql-injection-from-classic-asp.aspx Neil on SQL parameterized queries http://blogs.technet.com/neilcar/archive/2008/05/21/sql-injection-mitigation-using-parameterized-queries.aspx http://blogs.technet.com/neilcar/archive/2008/05/21/sql-injection-mitigation-using-parameterized-queries.aspx Michael Howard's how SDL handles this issue: http://blogs.msdn.com/sdl/archive/2008/05/15/giving-sql-injection-the-respect-it-deserves.aspx MSDN Article on Classic Asp (Though a good primer in general) http://msdn.microsoft.com/en-us/library/cc676512.aspx MMPC malware article: http://blogs.technet.com/antimalware/archive/2008/05/30/when-sql-injections-go-awry-incident-case-study.aspx