One of the measures Microsoft recently took in reaction to a wave of SQL injection attacks was to point people to the crawling tool Scrawlr from HP.

Now Mike Tracy of Matasano Security has a blog discussing some of the limitations in that tool and how to get around some of them. They refer to it as "... a cripple-ware SQL injection scanner" and don't seem to have a very high opinion of it, but also argue that it's not nothing, although there are better crawlers out there.

Personally, I don't think Microsoft was overselling Scrawlr. If that was all they announced the other day then it would be worth ridiculing, but they also announced a source code analysis tool (probably the most effective of the three tools they announced) and a new beta of UrlScan to monitor for some SQL injection attacks live on the site. But they also made it clear that the real solution to SQL injection is to write your applications in a way that resists it, generally with parameterized query instead of dynamic query building.