SQL Script Injection

  • I was told about this error that may exsist on a server of mine. I serched the web and found that the issue exists against Sql Server 2000 which is not running SP3. However the server I was told about is a 7.0 box. First I am unable to recreate this error on the server second I am unable to see any documentation about it effecting 7.0 boxes. Is this an issue with 7.0 and if so what is the fix?!

    Stacey W. A. Gregerson


    Stacey W. A. Gregerson

  • Hi Stacey,

    quote:


    I was told about this error that may exsist on a server of mine. I serched the web and found that the issue exists against Sql Server 2000 which is not running SP3. However the server I was told about is a 7.0 box. First I am unable to recreate this error on the server second I am unable to see any documentation about it effecting 7.0 boxes. Is this an issue with 7.0 and if so what is the fix?!


    without further description on the error it will hard to find a solution.

    However, both SQL2k and SQL7 are potentially exposed to SQL injection.

    Maybe your issues is known on this sites

    http://www.appsecinc.com

    http://www.sqlsecurity.com (Here are also link to some other useful sites)

    Any more details?

    Cheers,

    Frank

    --
    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]

  • To piggy-back on Frank...

    SQL Injection is basically where an attacker can "slip in" another database command on top of a legitimate one. This is typically done against web sites. If a web application doesn't properly validate the input coming in, an attacker will be able to append a SQL query and the web application will pass it to the database server as a legitimate query. The weakness isn't at the database, it's at the application.

    SQL Server, MySQL, and Oracle, among others are all potentially vulnerable to SQL Injection. It's not just limited to SQL Server.

    In addition to the links Frank has posted, if you want to watch a webcast that takes you step-by-step through how a SQL Injection attack works, you might check out Brian Knight's webcast with Microsoft USA:

    http://www.microsoft.com/usa/webcasts/ondemand/1765.asp

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

  • Hi Brian,

    quote:


    To piggy-back on Frank...


    sorry to ask, but what does this mean?

    Cheers,

    Frank

    --
    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]

  • It means to add-on to what you said.

    It comes from a "piggy-back ride." When kids ride on an adult's back (child's legs around the adult's waist, child's hands/arms around the neck), we call that a piggy-back ride in the US.

    K. Brian Kelley

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

    K. Brian Kelley
    @kbriankelley

  • quote:


    It comes from a "piggy-back ride." When kids ride on an adult's back (child's legs around the adult's waist, child's hands/arms around the neck), we call that a piggy-back ride in the US.


    yes, I know this!

    One of great thing that comes along as father's job

    Thanks for explanation!

    Cheers,

    Frank

    --
    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply