October 31, 2011 at 4:01 am
Are there any dba function or procedure to prevent the SQL injection attack?
October 31, 2011 at 4:28 am
One of the best ways to prevent it, is to use stored procedures for data manipulation, and then call these stored procedures from your application/website.
October 31, 2011 at 4:33 am
By your point of view i have to make store procedure for each table insert, update and delete
October 31, 2011 at 4:37 am
prashant-507002 (10/31/2011)
By your point of view i have to make store procedure for each table insert, update and delete
That's what I'd recommend, yes. See also this:
www.sommarskog.se/dynamic_sql.html
John
October 31, 2011 at 4:37 am
in my view, yes that is the best way to access your data. As it will help with security and provide a layer between the data and the application.
October 31, 2011 at 4:41 am
But what if hacker enter the value like john lucas;select * from dbo
in first name textbox
October 31, 2011 at 4:46 am
with a stored procedure that will cause an error.
actually it may not always cause an error but it will not do what the hacker is trying to do.
Try it out in sql server to see what the results are..
also read the link that John posted, it explains the issues very well.
October 31, 2011 at 4:51 am
From the link I posted:
- Never run with more privileges than necessary. Users that log into an application with their own login should normally only have EXEC permissions on stored procedures. If you use dynamic SQL, it should be confined to reading operations so that users only need SELECT permissions. A web site that logs into a database should not have any elevated privileges, preferably only EXEC and (maybe) SELECT permissions. Never let the web site log in as sa!
- For web applications: never expose error messages from SQL Server to the end user.
- Always used parameterised statements. That is, in a T-SQL procedure use sp_executesql, not EXEC().
You might also consider validating the parameters within your stored procedure code so as, for example, to disallow any input containing "--".
John
October 31, 2011 at 4:55 am
I have contact us page and on it there are one description field.
In that hacker enter the <script myfile.php>.
Bu using SP it will accept the value as it has datatype varchar(max).
Bu when page load it give error.
October 31, 2011 at 8:14 am
prashant-507002 (10/31/2011)
I have contact us page and on it there are one description field.In that hacker enter the <script myfile.php>.
Bu using SP it will accept the value as it has datatype varchar(max).
Bu when page load it give error.
So it now sounds that you successfully prevented sql injection but your contact us page needs some help to not crash. 😎
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply