Solved

MS SQL Customer DB returning Hex Code from website

Posted on 2007-04-09
12
228 Views
Last Modified: 2010-04-20
I use MS SQL and our customer database has recently started returning odd code that looks like hex from our website.  This just started in the past couple of months and I think it's coming from the catalog request link.  I'm not a DB admin so I'm looking for any advice or possible causes for this behavior.
0
Comment
Question by:aloyd18
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
12 Comments
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18876980
What do you mean, returning code FROM your website?  Do you mean that this was data posted to your customer DB?
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18878570
Yes, normally the DB fills up with name, address, number, etc.  Just recently it started populating with the hex looking characters.  And yes the data is coming from the website when a customer enters the catalog request.
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18878708
Phew...and your web page code didn't change??  It could be tha tthe character code page that the web page uses has been corrupted.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 30

Expert Comment

by:nmcdermaid
ID: 18879401
Can you first verify what it looks like in the database? Then you can identify whether the issue is in the database or in the web code.

Its quite possible that your database is unicode, and you have someone entering non-english characters in a web page.

The non english characters are saved to the database (totally valid) but when they are selected out to an English - only browser, the characters look strange because they can't be represented.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18907818
Where the customer name, number, State, Phone Number etc usually show up I'm getting a bunch of garbage that looks like this...

936658CB-CC6E-43 936658CB-CC6E-43 1 WAITFOR DELAY '0:0:20'--
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18907955
The problem seems to be between our web site and the business system we use called Ecometry.  Does anyone have any suggestions on troubleshooting the website side?
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18908073
That isn't hex, it's some kind of serial number stuff, possibly incomplete GUIDs, and the WAITFOR DELAY is script code of some sort.  

I have a wild idea that you are under some sort of script-insertion attack.  In this strange scenario, the inserted script is being mapped to parameters in a stored procudure you are using, causing it to look like your web site is posting garbage.  The fact that in this scenario you've used a stored procedure has prevented the attacking script from executing something evil on either your web server or on your SQL Server.

Server-side validation of field length and type prior to posting to SQL Server should help you eliminate this garbage.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18908110
Can you give me some pointers on setting up server side validation?  You're talking on the SQL server right?
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18908151
No, I'm talking on the web server.  However, you can also do a base-level validation on the SQL Server if you're performing your updates with stored procedures.  Are you doing so?
0
 
LVL 30

Expert Comment

by:nmcdermaid
ID: 18909538
Yes I most definitely agree, you could be having a script attack. Very suspicious.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18919831
I'm not sure if updates are done by stored procedures.  Where would one start in troubleshooting this?
0
 
LVL 23

Accepted Solution

by:
Christopher Kile earned 500 total points
ID: 18919922
You need the web code.  You need to analyze the code triggered by form submission as this is the most likely place where updates would be performed.  This is where you can see if SQL queries are being composed on the fly, or if stored procedures are being called.

Also, you can examine the stored procedures in your database.  Use SQL-EM to generate a script of all stored procedures, then load it into an editor and search for INSERT and UPDATE, also for the name of the table where the garbage has been posted.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question