Solved

MS SQL Customer DB returning Hex Code from website

Posted on 2007-04-09
12
198 Views
Last Modified: 2010-04-20
I use MS SQL and our customer database has recently started returning odd code that looks like hex from our website.  This just started in the past couple of months and I think it's coming from the catalog request link.  I'm not a DB admin so I'm looking for any advice or possible causes for this behavior.
0
Comment
Question by:aloyd18
  • 5
  • 5
  • 2
12 Comments
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18876980
What do you mean, returning code FROM your website?  Do you mean that this was data posted to your customer DB?
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18878570
Yes, normally the DB fills up with name, address, number, etc.  Just recently it started populating with the hex looking characters.  And yes the data is coming from the website when a customer enters the catalog request.
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18878708
Phew...and your web page code didn't change??  It could be tha tthe character code page that the web page uses has been corrupted.
0
 
LVL 30

Expert Comment

by:nmcdermaid
ID: 18879401
Can you first verify what it looks like in the database? Then you can identify whether the issue is in the database or in the web code.

Its quite possible that your database is unicode, and you have someone entering non-english characters in a web page.

The non english characters are saved to the database (totally valid) but when they are selected out to an English - only browser, the characters look strange because they can't be represented.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18907818
Where the customer name, number, State, Phone Number etc usually show up I'm getting a bunch of garbage that looks like this...

936658CB-CC6E-43 936658CB-CC6E-43 1 WAITFOR DELAY '0:0:20'--
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18907955
The problem seems to be between our web site and the business system we use called Ecometry.  Does anyone have any suggestions on troubleshooting the website side?
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18908073
That isn't hex, it's some kind of serial number stuff, possibly incomplete GUIDs, and the WAITFOR DELAY is script code of some sort.  

I have a wild idea that you are under some sort of script-insertion attack.  In this strange scenario, the inserted script is being mapped to parameters in a stored procudure you are using, causing it to look like your web site is posting garbage.  The fact that in this scenario you've used a stored procedure has prevented the attacking script from executing something evil on either your web server or on your SQL Server.

Server-side validation of field length and type prior to posting to SQL Server should help you eliminate this garbage.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18908110
Can you give me some pointers on setting up server side validation?  You're talking on the SQL server right?
0
 
LVL 23

Expert Comment

by:Christopher Kile
ID: 18908151
No, I'm talking on the web server.  However, you can also do a base-level validation on the SQL Server if you're performing your updates with stored procedures.  Are you doing so?
0
 
LVL 30

Expert Comment

by:nmcdermaid
ID: 18909538
Yes I most definitely agree, you could be having a script attack. Very suspicious.
0
 
LVL 3

Author Comment

by:aloyd18
ID: 18919831
I'm not sure if updates are done by stored procedures.  Where would one start in troubleshooting this?
0
 
LVL 23

Accepted Solution

by:
Christopher Kile earned 500 total points
ID: 18919922
You need the web code.  You need to analyze the code triggered by form submission as this is the most likely place where updates would be performed.  This is where you can see if SQL queries are being composed on the fly, or if stored procedures are being called.

Also, you can examine the stored procedures in your database.  Use SQL-EM to generate a script of all stored procedures, then load it into an editor and search for INSERT and UPDATE, also for the name of the table where the garbage has been posted.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Everyone has problem when going to load data into Data warehouse (EDW). They all need to confirm that data quality is good but they don't no how to proceed. Microsoft has provided new task within SSIS 2008 called "Data Profiler Task". It solve th…
Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now