The article seems to paint SQL injection attacks as though they're incredibly hard to prevent and are thus unavoidable. Obviously, that's completely wrong. You have to go out of your way to allow SQL injection.
The solution to SQL injection attacks is to hire programmers to write your application, not bums off the street. What a concept.
(There is one case where I'll forgive the developers; a while back there was a MySQL library bug that let bind variables inject SQL in certain cases. That's not the fault of the app developer, and it was fixed with a library update.)
Especially when The contractor had no idea how to find and fix the Web page vulnerability that allowed the SQL injection attack code to execute successfully.
Everytime SQL injection comes up everyone says how easy it is to prevent with one line of code, and then no one ever shares that one line!
From Wikipedia:
Using Parameterized Statements
Parameterized statements use parameters (sometimes called placeholders or bind variables) instead of embedding user input in the statement. In many cases, the SQL statement is fixed. The user input is then assigned (bound) to a parameter. This is an example using Java and the JDBC API:
PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?");
prep.setString(1, pwd);
