There’s a new paper out on SQL injection DoS attacks. Given the severity of the claims, I don’t see why this isn’t getting more coverage. The authors purport that almost any server with a SQL back-end and a search form is vulnerable. Essentially, they craft SQL queries that take an exorbitantly long amount of time to execute. When launching a small handful of them, you can actually make a database completely unresponsive. Although perhaps not as damaging as traditional SQL injection (most people would rather have their data unavailable rather than in the hands of an attacker), it appears to be much easier to execute, so it probably won’t be long before people start seeing this show up everywhere.