Solved

MS SQL Customer DB returning Hex Code from website

Posted on 2007-04-09
12
244 Views
Last Modified: 2010-04-20
I use MS SQL and our customer database has recently started returning odd code that looks like hex from our website.  This just started in the past couple of months and I think it's coming from the catalog request link.  I'm not a DB admin so I'm looking for any advice or possible causes for this behavior.
0
Comment
Question by:aloyd18
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
12 Comments
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18876980
What do you mean, returning code FROM your website?  Do you mean that this was data posted to your customer DB?
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18878570
Yes, normally the DB fills up with name, address, number, etc.  Just recently it started populating with the hex looking characters.  And yes the data is coming from the website when a customer enters the catalog request.
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18878708
Phew...and your web page code didn't change??  It could be tha tthe character code page that the web page uses has been corrupted.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 30

Expert Comment

by:nmcdermaid
ID: 18879401
Can you first verify what it looks like in the database? Then you can identify whether the issue is in the database or in the web code.

Its quite possible that your database is unicode, and you have someone entering non-english characters in a web page.

The non english characters are saved to the database (totally valid) but when they are selected out to an English - only browser, the characters look strange because they can't be represented.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18907818
Where the customer name, number, State, Phone Number etc usually show up I'm getting a bunch of garbage that looks like this...

936658CB-CC6E-43 936658CB-CC6E-43 1 WAITFOR DELAY '0:0:20'--
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18907955
The problem seems to be between our web site and the business system we use called Ecometry.  Does anyone have any suggestions on troubleshooting the website side?
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18908073
That isn't hex, it's some kind of serial number stuff, possibly incomplete GUIDs, and the WAITFOR DELAY is script code of some sort.  

I have a wild idea that you are under some sort of script-insertion attack.  In this strange scenario, the inserted script is being mapped to parameters in a stored procudure you are using, causing it to look like your web site is posting garbage.  The fact that in this scenario you've used a stored procedure has prevented the attacking script from executing something evil on either your web server or on your SQL Server.

Server-side validation of field length and type prior to posting to SQL Server should help you eliminate this garbage.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18908110
Can you give me some pointers on setting up server side validation?  You're talking on the SQL server right?
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18908151
No, I'm talking on the web server.  However, you can also do a base-level validation on the SQL Server if you're performing your updates with stored procedures.  Are you doing so?
0
 
LVL 30

Expert Comment

by:nmcdermaid
ID: 18909538
Yes I most definitely agree, you could be having a script attack. Very suspicious.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18919831
I'm not sure if updates are done by stored procedures.  Where would one start in troubleshooting this?
0
 
LVL 23

Accepted Solution

by:
Christopher Kile earned 500 total points
ID: 18919922
You need the web code.  You need to analyze the code triggered by form submission as this is the most likely place where updates would be performed.  This is where you can see if SQL queries are being composed on the fly, or if stored procedures are being called.

Also, you can examine the stored procedures in your database.  Use SQL-EM to generate a script of all stored procedures, then load it into an editor and search for INSERT and UPDATE, also for the name of the table where the garbage has been posted.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question