It’s one thing to know that SQL injection is bad, and quite another to have some stats to back it up. I came across a Michael Sutton blog post on the topic via Joel Spolsky‘s latest blog post.
Out of 708 sites checked, 80 had potential vulnerabilities to SQL injection attacks. Beyond the importance of the topic as a security hole, the most interesting thing about Sutton’s article was the tool he built to come up with these stats. He used a C# app with the Google API to get his results. I only wish I had time to build a tool that clever and useful.