Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

MS SQL Customer DB returning Hex Code from website

Posted on 2007-04-09
12
Medium Priority
?
248 Views
Last Modified: 2010-04-20
I use MS SQL and our customer database has recently started returning odd code that looks like hex from our website.  This just started in the past couple of months and I think it's coming from the catalog request link.  I'm not a DB admin so I'm looking for any advice or possible causes for this behavior.
0
Comment
Question by:aloyd18
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
12 Comments
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18876980
What do you mean, returning code FROM your website?  Do you mean that this was data posted to your customer DB?
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18878570
Yes, normally the DB fills up with name, address, number, etc.  Just recently it started populating with the hex looking characters.  And yes the data is coming from the website when a customer enters the catalog request.
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18878708
Phew...and your web page code didn't change??  It could be tha tthe character code page that the web page uses has been corrupted.
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 
LVL 30

Expert Comment

by:nmcdermaid
ID: 18879401
Can you first verify what it looks like in the database? Then you can identify whether the issue is in the database or in the web code.

Its quite possible that your database is unicode, and you have someone entering non-english characters in a web page.

The non english characters are saved to the database (totally valid) but when they are selected out to an English - only browser, the characters look strange because they can't be represented.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18907818
Where the customer name, number, State, Phone Number etc usually show up I'm getting a bunch of garbage that looks like this...

936658CB-CC6E-43 936658CB-CC6E-43 1 WAITFOR DELAY '0:0:20'--
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18907955
The problem seems to be between our web site and the business system we use called Ecometry.  Does anyone have any suggestions on troubleshooting the website side?
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18908073
That isn't hex, it's some kind of serial number stuff, possibly incomplete GUIDs, and the WAITFOR DELAY is script code of some sort.  

I have a wild idea that you are under some sort of script-insertion attack.  In this strange scenario, the inserted script is being mapped to parameters in a stored procudure you are using, causing it to look like your web site is posting garbage.  The fact that in this scenario you've used a stored procedure has prevented the attacking script from executing something evil on either your web server or on your SQL Server.

Server-side validation of field length and type prior to posting to SQL Server should help you eliminate this garbage.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18908110
Can you give me some pointers on setting up server side validation?  You're talking on the SQL server right?
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18908151
No, I'm talking on the web server.  However, you can also do a base-level validation on the SQL Server if you're performing your updates with stored procedures.  Are you doing so?
0
 
LVL 30

Expert Comment

by:nmcdermaid
ID: 18909538
Yes I most definitely agree, you could be having a script attack. Very suspicious.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18919831
I'm not sure if updates are done by stored procedures.  Where would one start in troubleshooting this?
0
 
LVL 23

Accepted Solution

by:
Christopher Kile earned 1500 total points
ID: 18919922
You need the web code.  You need to analyze the code triggered by form submission as this is the most likely place where updates would be performed.  This is where you can see if SQL queries are being composed on the fly, or if stored procedures are being called.

Also, you can examine the stored procedures in your database.  Use SQL-EM to generate a script of all stored procedures, then load it into an editor and search for INSERT and UPDATE, also for the name of the table where the garbage has been posted.
0

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question