I'd like to point out that SQL injection attacks are not limited to IIS web servers. Not properly escaping SQL statements in PHP can lead to SQL injection attacks, and the same problem exists in python, in perl, and in a multitude of languages. Not properly creating limited-access users aggravates the situation as well.
Using Hibernate helps developers by providing a robust persistence layer. But it is important to note the role of this layer -- the persistence layer is simple an abstraction from the underlying SQL. For many software projects, it is a good idea to have a persistence layer since having this layer can provide a measure of protection against SQL injection attacks, but at some point in there code, raw SQL needs to be issued to the database.
It seems to me the point of the article is NOT that SQL injection attacks can occur, but rather MSSQL stored procedures to allow automated attacks scripts to run.
Slashdot Mirror
If my memory serves me correctly, SP2 was also delayed several weeks to due the discovery of the integer overflow class of vulnerabilities.
I'd like to point out that SQL injection attacks are not limited to IIS web servers. Not properly escaping SQL statements in PHP can lead to SQL injection attacks, and the same problem exists in python, in perl, and in a multitude of languages. Not properly creating limited-access users aggravates the situation as well.
Using Hibernate helps developers by providing a robust persistence layer. But it is important to note the role of this layer -- the persistence layer is simple an abstraction from the underlying SQL. For many software projects, it is a good idea to have a persistence layer since having this layer can provide a measure of protection against SQL injection attacks, but at some point in there code, raw SQL needs to be issued to the database.
It seems to me the point of the article is NOT that SQL injection attacks can occur, but rather MSSQL stored procedures to allow automated attacks scripts to run.