February 1, 2004 at 10:09 am
Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/chedgate/sqlinject
February 2, 2004 at 4:40 am
I think this also illustrates why DBA's need to included in development and why code must be vetted by someone competent to do so.
If you are going to use the command object then you can go one better and wrap it all up in a DLL.
In addition to the SQL Injection attack protection you are running compiled code.
I have seen cases where tweaking IIS caused ASP to start spewing out either hacker friendly error messages or in one case ASP source code complete with connection strings.
February 2, 2004 at 8:05 am
Don't forget about the Open Web Application Security Project has another great source:
K. Brian Kelley
@kbriankelley
February 2, 2004 at 12:34 pm
Good information, thank you Chris.
As a DBA SQL Injection is one of my big concerns. My biggest problem usually lies in getting our developers to appreciate that it's a real problem that they need to be constantly aware of.
By limiting (eliminating) all direct grants at the table level and forcing all access through stored procedures, we can go quite a long way to safeguard our data. As Chris points out, stored procs, by themselves, don't eliminate the threat, but if all access is controlled through them, an attacker will not be able to do, or see, anything in the database that isn't specifically allowed anyway.
/*****************
If most people are not willing to see the difficulty, this is mainly because, consciously or unconsciously, they assume that it will be they who will settle these questions for the others, and because they are convinced of their own capacity to do this. -Friedrich August von Hayek
*****************/
February 2, 2004 at 1:54 pm
Well... with cross-database ownership chaining, there is still quite a bit of recon an intruder can do. Hence the reason to use Command objects or the equivalent thereof as well as stringent input validation.
K. Brian Kelley
@kbriankelley
February 2, 2004 at 3:17 pm
True enough, but as a rule we don't allow cross-database ownership chaining. That, combined with locking down master as much as possible helps mitigate that threat.
I was not implying that forcing the use of sp's eliminates the risk, but as a DBA I'm not willing to just leave it all in the developer's hands either... The problem should be attacked at both ends.
/*****************
If most people are not willing to see the difficulty, this is mainly because, consciously or unconsciously, they assume that it will be they who will settle these questions for the others, and because they are convinced of their own capacity to do this. -Friedrich August von Hayek
*****************/
February 3, 2004 at 9:50 am
Database Administrators should also be invloved in the development of organisational standards for software development. In my organisation we have a document that details the programming standards, and this includes standards for accessing databases. Code reviews help ensure that developers adhere to these standards.
We also have a library which all user-input is passed through and casted to the correct data type. All developers are obliged to use this library.
Keith
February 3, 2004 at 9:50 am
Database Administrators should also be invloved in the development of organisational standards for software development. In my organisation we have a document that details the programming standards, and this includes standards for accessing databases. Code reviews help ensure that developers adhere to these standards.
We also have a library which all user-input is passed through and casted to the correct data type. All developers are obliged to use this library.
Keith
February 3, 2004 at 9:52 am
Database Administrators should also be invloved in the development of organisational standards for software development. In my organisation we have a document that details the programming standards, and this includes standards for accessing databases. Code reviews help ensure that developers adhere to these standards.
We also have a library which all end-user input is passed through and casted to the correct data type. All developers are obliged to use this library.
Sorry about the multiple posts - I kept on getting an error message each time I posted saying there was a problem casting from DBNull to a string - didn't realise that the post was succeeding each time.
Keith
February 3, 2004 at 11:08 am
If you really lock down master, then true, you've mitigated most of the rest. Most folks don't think to do this, unfortunately.
K. Brian Kelley
@kbriankelley
February 3, 2004 at 11:08 am
If you really lock down master, then true, you've mitigated most of the rest. Most folks don't think to do this, unfortunately.
K. Brian Kelley
@kbriankelley
February 3, 2004 at 2:18 pm
Chris,
Excellent article!!! After reading your article, I checked w/ our Sr. System Developer to verify if we are using these techniques. We are looking in depth to other exploitations of SQL injections with our app.
Thanks,
Dave S.
February 3, 2004 at 2:19 pm
Chris,
Excellent article!!! After reading your article, I checked w/ our Sr. System Developer to verify if we are using these techniques. We are looking in depth to other exploitations of SQL injections with our app.
Thanks,
Dave S.
February 3, 2004 at 2:20 pm
Chris,
Excellent article!!! After reading your article, I checked w/ our Sr. System Developer to verify if we are using these techniques. We are looking in depth to other exploitations of SQL injections with our app.
Thanks,
Dave S.
February 3, 2004 at 2:20 pm
Chris,
Excellent article!!! After reading your article, I checked w/ our Sr. System Developer to verify if we are using these techniques. We are looking in depth to other exploitations of SQL injections with our app.
Thanks,
Dave S.
Viewing 15 posts - 1 through 15 (of 17 total)
You must be logged in to reply to this topic. Login to reply