SQL Injection Protection for Internal apps

Posted on 2007-08-09
Last Modified: 2008-01-09
We have a sql 2000 dbase that is the back end to internal browser based apps. They are not web based in the sense that they are not external apps on the web. They are behind a router/firewall. I have been reading a little about sql injection. Should I take any further precautions other than the firewall to protect against SQL Injection?
Question by:pabby061203
    LVL 11

    Expert Comment

    How big is your organisation? Which level of employees access the apps?

    If it's a small organisation where the users have access to the data anyway, there is no point.
    If it's a big organisation where the app is the only access users have to the data, I would be wary and put some measures in place.

    It all really depends upon your situation......
    LVL 14

    Expert Comment

    Definitely. The firewall doesn't prtect against sql injection.

    Author Comment

    Hi and thanks for replying. Our situation is: a small business with about 20 operators who do not get direct access to the data - they data capture through a front end app. I am not really concerned about the operators. I am putting together a disaster recovery strategy with recommendations but don't know much about sql injection. Given my scenario, given that the sql dbase is an internal dbase server behind a firewall, what would your recommendations be to tighten up?

    thanks again
    LVL 11

    Accepted Solution

    If you reduce all app access to database through stored procedures, this should be more than enough for a small company internal app with trusted operators.
    LVL 21

    Expert Comment

    Ditto cmhunty's answer.  Grant execute access on procs to users and don't grant table access.  This mitigates the most glaring opening that somebody could connect to the database using something other than your app.

    Protecting against sql injection is best accomplished by educating your developers about it.  Generally, it doesn't take extra work but it does take avoiding certain things.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Having an SQL database can be a big investment for a small company. Hardware, setup and of course, the price of software all add up to a big bill that some companies may not be able to absorb.  Luckily, there is a free version SQL Express, but does …
    International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
    Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
    Via a live example, show how to setup several different housekeeping processes for a SQL Server.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now