Microsoft’s UK site was defaced on June 26 by hackers apparently from Saudi Arabia, using a SQL Injection attack. This comes only a few weeks after another Microsoft web site defacement by SQL Injection attack back in early May.

This is a fairly old and easy to defeat attack method that is not SQL Server specific. Someone enters some mal-formed SQL into a text box that is used to build a dynamic SQL string that is submitted to a database server. This allows them to run unauthorized queries to find out the structure of your database and to see and/or even alter/delete your data.

You can defeat this type of attack by limiting and validating your input, using stored procedures, and by using the principle of least privilege. This MSDN article explains the concept in more detail.