September 8, 2010 at 1:54 pm
Can anyone tell me how I can disable the @@ Commands so that a SQL User can not use them?
Reason:
A hacker was able to see the SQL Version, the SQL database, ect via SQL injection.
September 8, 2010 at 2:12 pm
I don't believe you can.
Rather concentrate on fixing the SQL Injection vulnerability (hint: parameterised queries). Seeing the version of SQL is one of the more harmeless things the hacker could likely have done.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
September 8, 2010 at 2:14 pm
I don't have a way to turn those off, but all of your dynamic code should be used with sp_executesql using parameters to help protect against sql injection if you absolutely need dynamic SQL.
It's either that, or you need to scrape the strings in your procedures and look for injection characters/techniques in the parameters sent to the procs for the dynamic portion.
Hopefully someone comes back with the answer to the security though, I'm curious myself. AFAIK those basic commands are permanently available.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
September 9, 2010 at 9:07 am
Thanks for your replies.
I am working with code that is very old and the boss doesnt want to go back to update it.
I have limited the webuser so it can not run the sysobject commands.
So any help any one can give me to with the @@ functions would be great.
September 9, 2010 at 2:57 pm
SELECT REPLACE( @UserSubmittedString, '@@', '')
September 9, 2010 at 3:44 pm
THolley, what Steve posted above is your best solution if you're proc based, but if this is straight dynamic SQL from a front end code bed you're basically SOL without recoding. You need to have anti-sql injection wrappers on all of your inputs in the front end if you're sending all your select statements directly without using procs.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply