Business and enterprise software, and other applications that help a business run

I briefly touched on this subject a month or so ago and got in all kinds of trouble. Being a slow learner, I am going to try again. Some Websites are being plagued by SQL injection attacks. I will present the definition line from that reference here: “SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.” Somehow, this definition implies that such things are unavoidable.

Similarly, here is a response to the problem from Microsoft, as a part of a code release to ruduce the problems: "Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database." Again, this is made to sound as if the developers are at fault.

I have been designing and writing software for 30 years, including the design and population of computer programs, databases and data warehouses. Developers work within very tight syntax and command structure limitations imposed by the companies and teams which provide languages and databases. There is little, if any choice in this matter. If the programming language or database makes something impossible, developers have to work very hard indeed to make it possible.

In other words, it is the designers and builders of programming languages that decide what is possible and what is not. With a great deal of effort, developers are usually clever enough to work their way around what they feel (sometimes correctly) are design shortfalls. That is not the case here. With SQL injections, it is the taking of simpler shortcuts which are allowed by the programming languages and databases which are causing the problems. Just stop allowing those shortcuts.

Instead of whining and complaining about the developers, it is the job of the people that sell or otherwise provide programming languages and databases to make it very difficult indeed to allow such things to happen. It would be much easier for a dozen companies and groups to close these holes, or make them very hard to get through, than it would be to change the way hundreds of thousands of developers write, and may wrongly write, code. If they make it hard enough, the developers are very unlikely to do things the wrong way.

This entire discussion is like airplane manufacturers saying that all crashes are the fault of pilots, when in truth most are the fault of airplane designers. The developers are the pilots in the SQL injection situation, and blaming them is not an efficient way to fix the problem. If you make it impossible to code software that allows an SQL injection to happen, they will stop. If you leave it totally up to the developers, they will not all stop. Which is the better choice?