Those nasty SQL Injection attacks have not stopped. They’ve probably just started!

If you’re still in the process of going through your SQL code and making sure it’s not susceptible to SQL injection attacks that means your websites are still wide open to the attack.

However not to worry, the Microsoft IIS team has come to the rescue with the announcing of the shiny new Microsoft Urlscan Filter v3.0 Beta release. It includes a GoLive license, so you can deploy it on your production servers.

Here are some of the cool new features:

• Support for query string scanning, including an option to scan an un-escaped version of the query string.
• Change notification for configuration (no more restarts for most settings.)
• UrlScan can be installed as a site filter.  Different sites can have their own copy, with their own configuration.
• Escape sequences can be used in the configuration file to express CRLF, a semicolon (normally a comment delimiter) or unprintable characters in rules.
• Custom rules can be created to scan the URL, query string, a particular header, all headers or combination of these.  The rules can be applied based on the type of file requested.

One thing important to remember is although this will protect websites against this latest form of SQL injection attack, any poorly written code still needs to be fixed. No escaping on that.