pabby061203
asked on
SQL Injection Protection for Internal apps
We have a sql 2000 dbase that is the back end to internal browser based apps. They are not web based in the sense that they are not external apps on the web. They are behind a router/firewall. I have been reading a little about sql injection. Should I take any further precautions other than the firewall to protect against SQL Injection?
Definitely. The firewall doesn't prtect against sql injection.
ASKER
Hi and thanks for replying. Our situation is: a small business with about 20 operators who do not get direct access to the data - they data capture through a front end app. I am not really concerned about the operators. I am putting together a disaster recovery strategy with recommendations but don't know much about sql injection. Given my scenario, given that the sql dbase is an internal dbase server behind a firewall, what would your recommendations be to tighten up?
thanks again
thanks again
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ditto cmhunty's answer. Grant execute access on procs to users and don't grant table access. This mitigates the most glaring opening that somebody could connect to the database using something other than your app.
Protecting against sql injection is best accomplished by educating your developers about it. Generally, it doesn't take extra work but it does take avoiding certain things.
Protecting against sql injection is best accomplished by educating your developers about it. Generally, it doesn't take extra work but it does take avoiding certain things.
If it's a small organisation where the users have access to the data anyway, there is no point.
If it's a big organisation where the app is the only access users have to the data, I would be wary and put some measures in place.
It all really depends upon your situation......