SQL Injection

  • I does not have any idea about SQL Injection?

    What is it and why it should we use?

    how can we use and when can use?

    _____________________________________________________________________________________________________________
    Paresh Prajapati
    ➡ +919924626601
    http://paresh-sqldba.blogspot.com/[/url]
    LinkedIn | Tweet Me | FaceBook | Brijj

  • You DON"T want to use SQL Injection. This is a method used to ATTACK your database. To learn more I'd start by Googling SQL Injection.

    There also may be some articles or links here on SSC that you could read, so you might also trying Googling this site for more information.

  • There are articles all over the internet on this. It's easy to test and play with on a test server. Essentially you're vunerable to sql injection if you are using adhoc queries via applications which accept user typed input.

    There are multi-tiered approaches to preventing an attack, or securing your data. You need to work with application developers and discuss with them ways to prevent the system from being vulnerable.

    1. User input should be checked for valid data and not "comment" characters at the application side.

    2. Try to avoid user "typed" input.

    3. When possible use parameter based stored procedures, in lieu of adhoc queries.

    Here's an MSDN article that goes into detail:

    http://msdn.microsoft.com/en-us/library/ms161953.aspx

    steve

  • I will add couple of more steps to prevent...

    1. Make Sure all DB access are through Stored procs. Then you do not have to give any rights on the table itself to the Application User.

    2. Try not to use Dynamic SQL. It is quite dangerous if you do not know what you are doing. You have to be very very careful when using Dynamic SQL.

    3. Try to use Windows Authentication for your Application user with a very basic rights.

    -Roy

  • I would recommend any applications being developed that access/update a SQL database be designed using connections with parameters for inserting search criteria. Some applications are developed using command text that consists of only a string. The string value given to the command text allows for the insertion of a variable value obtain from user input to the application. When this occurs, assuming value validation is not being accomplished, a user can add extra characters to the value to trick the server into returning more data than desired. For example adding a variation of " OR 1=1" to a variable being inserted into a part of the command text for a server connection, then all the rows from the table would be returned.

    Hope this helps.

  • A good reference for how bad this stuff can be is Niel Carpenter's blog. He is a member of the Security response team at MS and has a few really good posts detailing specific attack signatures:

    http://blogs.technet.com/neilcar/archive/tags/SQL/default.aspx

    Jonathan Kehayias | Principal Consultant | MCM: SQL Server 2008
    My Blog | Twitter | MVP Profile
    Training | Consulting | Become a SQLskills Insider
    Troubleshooting SQL Server: A Guide for Accidental DBAs[/url]

  • Was someones account hijacked to ask this question.

    DBA, Veteran ???

  • NotManyPoints (2/3/2009)


    Was someones account hijacked to ask this question.

    I doubt it.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • NotManyPoints (2/3/2009)


    Was someones account hijacked to ask this question.

    DBA, Veteran ???

    DBA is his avatar,veteran is because he has over 300 posts. That level is not garanteed to reflect skill levels.

    There's no harm in trying to upgrade the skills either.

  • I know what the things mean and DBA is more than the avatar it is stated as occupation.

    It was a quizzical comment on the information about a person possibly not reflecting true knowledge.

    Who can you trust if you can't trust an online persona with an avatar and number of points... (Sarcasm, lowest form of wit, I know….)

    Would they be upgrading their 'site' level or their actual 'skill' in asking this question.

    As it should suggest if you have 'used' this site and generated over 300 posts, some 'skill' must have sunk in.

    Fully expect to get blasted for this, but just getting those posts up… :Whistling:

  • NotManyPoints (2/3/2009)


    As it should suggest if you have 'used' this site and generated over 300 posts, some 'skill' must have sunk in.

    Not necessarily. There's a person on another SQL forum that I frequent that has over 1000 posts, but still asks beginner-level questions.

    Points != skill level, just forum activity. I assure you, a good portion of mine are from chit-chat type posts.

    Judge advice and answers based on the content and (if you want to do research) the other answers that the person has given, not just on the number of points.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • NotManyPoints (2/3/2009)


    I know what the things mean and DBA is more than the avatar it is stated as occupation.

    It was a quizzical comment on the information about a person possibly not reflecting true knowledge.

    Who can you trust if you can't trust an online persona with an avatar and number of points... (Sarcasm, lowest form of wit, I know….)

    Would they be upgrading their 'site' level or their actual 'skill' in asking this question.

    As it should suggest if you have 'used' this site and generated over 300 posts, some 'skill' must have sunk in.

    Fully expect to get blasted for this, but just getting those posts up… :Whistling:

    There is actually a thread about some of the posted questions. Some of your comments might be better posted there but again, it might be better to keep them non personal. Not trying to be harsh but there are many that come to this site to learn and the last thing that I desire, and most likely many others, is to scare them away. May be the only place they can come. Know what I mean. 😉

    http://www.sqlservercentral.com/Forums/Topic604325-61-23.aspx#bm648435

    David

    @SQLTentmaker

    “He is no fool who gives what he cannot keep to gain that which he cannot lose” - Jim Elliot

  • GilaMonster (2/3/2009)


    NotManyPoints (2/3/2009)


    As it should suggest if you have 'used' this site and generated over 300 posts, some 'skill' must have sunk in.

    Not necessarily. There's a person on another SQL forum that I frequent that has over 1000 posts, but still asks beginner-level questions.

    Points != skill level, just forum activity. I assure you, a good portion of mine are from chit-chat type posts.

    Judge advice and answers based on the content and (if you want to do research) the other answers that the person has given, not just on the number of points.

    +1 I couldn't stress what Gail says here enough. There are people on the other forums that I goof off in that have tons of posts and points, but answer 1 in maybe 10-12 times that they post. I try and keep about a 50-50 post to answer ratio in what I do in technical forums. Sometimes it just takes 10 posts to get to the bottom of a thread and provide an answer to the issue, but most times you can hit a home run if you are technically proficient with a single post or two.

    Number of posts/points in any forum is not a measure of technical knowledge. Unfortunately for people on the outside looking in to the forums, that is usually the way that they gauge things, and it can be very wrong to do so.

    Another thing to note is that what might seem 100 level to you may not be for someone else. I got flamed a few months back for asking a basic FullText Index question on another forum, because I am a Moderator/MVP. It's not something I had ever worked with before, and in a pinch I needed some help and couldn't spend a few hours trying to find out enough to figure it all out. There are plenty of decent DBA/Developers out there that don't know about SQL Injection. Just look at the number of major sites that have been hit by it.

    Jonathan Kehayias | Principal Consultant | MCM: SQL Server 2008
    My Blog | Twitter | MVP Profile
    Training | Consulting | Become a SQLskills Insider
    Troubleshooting SQL Server: A Guide for Accidental DBAs[/url]

  • Jonathan Kehayias (2/3/2009)


    Another thing to note is that what might seem 100 level to you may not be for someone else. I got flamed a few months back for asking a basic FullText Index question on another forum, because I am a Moderator/MVP.

    What? That's insane. Remind me to stay away from those forums.

    I posted a couple Oracle - SQL replication questions here a few months because I'd run into issues on the Oracle side, and I know nothing about Oracle.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass

Viewing 15 posts - 1 through 15 (of 121 total)

You must be logged in to reply to this topic. Login to reply