Autoweb may be making changes in its infrastructure for future defense against such attacks. Autoweb's Web application and database reside on the same server, but in order to use Secerno's security appliance, the two would have to be separated off the same server.

Secerno's Moyle says there are an "infinite number of different SQL injection attacks." They are all designed "to fool the application layer into passing a command to the database to ask the database something you wish it wouldn't ask."

Moyle's opinion is that while there are good tools for penetration testing, such as SPI Dynamics, it's "not about the tools, it's the people using them."

Individuals with expertise are what count the most he says, pointing to Next Generation Security Software, which has offices in the United Kingdom and the United States, as one firm with a strong reputation in understanding SQL injection attacks at the application layer.

Application-layer firewalls are another approach to preventing SQL injection attacks and similar threats that may exploit vulnerabilities, cross-site scripting.