Security experts say that there are several steps that IT professionals can take to prevent and mitigate the risk of mass SQL injection attacks. For starters, Web developers should never trust the data that is input into their sites. This means that Web developers should ensure that such data is exactly the type of information they want, said Alex Rothacker, the manager of Application Security's research unit, Team SHATTER.

For example, Web developers should ensure that fields that ask for Social Security numbers are used to input this information and not other types of data, Rothacker said. In addition, organizations should create and enforce secure coding guidelines for in-house software that requires SQL to be constructed using parameterized queries, which helps prevent SQL injection attacks by differentiating code from data, said Jacob West, the security research director at Fortify Security.

IT professionals can also protect their organizations from SQL injection attacks by installing filtering and monitoring tools at both the Web application and database levels. At the application level, organizations should implement runtime security monitoring and Web application firewalls, while at the database level they should implement database activity monitoring, Rothacker and West said.

Finally, members of the development team and DBAs need to carefully think about the error messages they develop for occasions when users input unexpected information, since hackers can use such messages to learn about an organization's database schema, said Dasient co-founder and chief technology officer Neil Daswani.