Several website owners this past week, including the United Nations and the UK Government, were left with a compromised database after being hit with the notorious SQL injection bug. This is a flaw in which a basic ASP webpage can run malicious script on a SQL server. The mass attack hit a number of website that were ASP driven and supported querystring paramters for database lookup. Webpages can allow for dynamic retrieval of information based upon querystring parameters; however if programmed in a basic manner, it might allow for a malicious script to be run. Here is a basic example of a page that is vulnerable: Page: BadCode.asp Dim myVar myVar = Request("input") ... objComm.CommandText = "Select * from myTable where ID=" & myVar objRS.Open objComm.Execute ... In the normal situation, this will query the database for the specified record. However if the value of input is passed in as a malicious script, it could be run by the SQL server and run amok! Le...