The wide scope of this attack begs the question of how developers and webmasters can prevent their own sites from falling victim to similar malicious strategies.

SQL injection attacks work by exploiting poorly-written database code to insert unwanted SQL into database queries in order to view, modify, or gain access to the database.

Cross-site scripting (XSS) attacks work a little differently because they typically don’t have to alter the SQL queries themselves. These attacks simply insert a snippet of JavaScript code into the text fields of the database that are then displayed somewhere on the website. Whenever pages with this malicious script are visited, the code executes and redirects the user. The goal of XSS attacks is to run some remote code or redirect the user to a spyware-infested website.

In both SQL injection attacks and XSS attacks, your susceptibility can be greatly lessened by proactively controlling any form of user-entered information and “sanitizing” your input. For example, by not allowing HTML code to be entered, filtering out certain dangerous characters, and HTML encoding text before inserting it into the database, you can eliminate many of the possible means of attack.

One of the simplest and most effective measures you can take is to make use of database parameters whenever making queries as they have built-in features to filter input and make variables database-safe. Almost all modern languages support parameterized queries, they eliminate much of the potential for error, and they are especially useful for preventing SQL injection attacks.

While it is important to filter input to prevent SQL injection attacks, it can also be beneficial to filter text that is being displayed to prevent XSS hacks. This can entail HTML encoding output or filtering for specific elements, such as hyperlinks or <script> tags (I have also seen image tags with an onerror attribute used for this same purpose).

Although none of these techniques are a magic bullet, a thoughtful combination of these will greatly increase your site’s defenses against SQL injection attacks and a variety of other common security threats.

Resources:

• http://arstechnica.com/security/news/2011/03/massive-sql-injection-attack-making-the-rounds694k-urls-so-far.ars
• http://www.net-security.org/secworld.php?id=10833

There are generally two types of clients who seek out search engine marketing services – those who are new to the discipline and are researching various companies, and those who were unhappy with a previous SEO company and are now looking to engage with the right vendor. Whatever your background or familiarity with SEO, it’s important to understand that while most good firms do require a contract for services, the firms that have the most confidence in their own abilities will offer the chance to prove themselves to you by first providing a no-contract, introductory pay-per-click campaign.

Click here to read the full article.

Many of you know that the Medium Blue office is pet-friendly (check out our Facebook Page for pictures of our canine coworkers), and we love working with the AHS!

To read more about our award, click here.

Amity Zvanut Lackey, Medium Blue's Director of Client Services (right), presenting the American Marketing Association AMY Award to our clients and friends at the Atlanta Humane Society: AHS Graphic Artist and Web Developer Teri French (center) and AHS Vice President of Development Cathy Sleva (left)

ATLANTA, GA – July 27, 2010 – Medium Blue Search Engine Marketing is pleased to announce that it was named the number one search engine optimization company by respected industry resource PromotionWorld for July 2010. After evaluating numerous SEO companies in an independent study based on their services, package diversity, overall value, customer service, and website popularity, PromotionWorld bestowed the title on the award-winning Atlanta, Georgia based SEO firm, the results of which can be viewed here…

Click here to read the press release in full.