March 6, 2012 at 2:15 am
My website is suffering from SQL injection attacks, user is inserting a scripts in database tables. for that first precautions i took to use a database views.
also i a using sql authentication with strong password.
can you please guide me what more can i do to stop any kind of attack on MSSQL Server from out side users.
Thanks & Regards,
Pallavi
March 6, 2012 at 2:43 am
There is a wealth of information on Google on how to protect against SQL Injection. The main points are:
Always parameterise your inputs into SQL Server (e.g. use parameterised stored procedures or explicitly parameterise any ad-hoc SQL in the application)
Never use Dynamic SQL (except where it's properly parameterised with sp_executesql - this is quite an advanced technique, mainly used for catch-all queries)
Make sure your web SQL user has the bare minimum of permissions to do it's job.
Sanitise your inputs.
If this is happening to your site now and you're not familiar with all of this, I'd advise getting a consultant in.
March 6, 2012 at 2:44 am
i have attached an ebook on SQL injection.
what is actually happening? are you loosing tables? are you sure its coming from the website? are you running profile to see where the attack is actually coming from?
firstly grant your SQL account only the rights it needs to do its job, if its got db_owner rights I would remove it and create a role which can only do what its ment to do
March 6, 2012 at 2:55 am
pallavi.unde (3/6/2012)
My website is suffering from SQL injection attacks, user is inserting a scripts in database tables. for that first precautions i took to use a database views.also i a using sql authentication with strong password.
can you please guide me what more can i do to stop any kind of attack on MSSQL Server from out side users.
How are you sure that site is suffering from SQL injection attacks? Have you lost any data/table & you have identified that the query was fired from application user interface?
March 6, 2012 at 3:14 am
I am sure that the update quey is fired from outside... I am using a photon to upload data in Database and ip of Pc get hacked
Thanks & Regards,
Pallavi
March 6, 2012 at 5:12 am
Limit the application account to minimal permissions and ensure that all ad-hoc and dynamic SQL is parameterised. Done properly, those two make a app completely immune to SQL Injection
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
March 6, 2012 at 6:43 am
also forgot to upload this ebook as well
March 7, 2012 at 9:04 am
As Gail and others mentioned, the only good response is to parameterize all SQL in your apps; ad-hoc, dynamic, etc. Deliberately set the data type, the size, and so on.
Optionally, white-list the contents of each parameter one at a time; that's good for other security concerns, but does not prevent SQL injection.
By "minimal permissions", we mean granular table or, better, column based security. Only allow SELECT where it's required. Only allow UPDATE where it's required, and so on.
The advanced version of this is to have one login for each individual section of the web app; the financial page may have no need to access the inventory tables, for instance.
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply