avaj
asked on
SQL Injection and Database permissions
My site was recently attacked with an sql injection. I have followd the shopping carts steps to hopefully prevent further attacks (is there a way to test this?); the shopping cart also recommends that I change the db permissions. I tried their recommendation but then lost the data base tables (have since had them restored by hosting company). I am about to put the site back on but would like to know if I should first do what shopping cart suggested:
Overview
Run the following two queries to reduce permissions on two system tables for the database user that is used in the ProductCart database connection string (UID located in the connection string saved to the file includes/storeconstants.as
Instructions
The commands to run in query analyzer are:
deny select on sysobjects to DatabaseUser
deny select on syscolumns to DatabaseUser
& where DatabaseUser corresponds to the UID value in the database connection string in your storeconstants.asp file.
If you are setting up a new store, run these queries after setting up the database.
Troubleshooting
If you receive an error similar to the following:
Msg 4604, Level 16, State 1, Line 1
There is no such user or group 'YOURUSER'.
This is probably due to the fact that the user YOURUSER belongs to the default database role called Public .
You can get around the problem by running the same queries with Public instead of the user name used in the connection string. Therefore, the queries become.
deny select on sysobjects to Public
deny select on syscolumns to Public
I ran the two lines above in the analyzer and lost all the tables. Did I just do something wrong - should I run the 2 lines above again?
Overview
Run the following two queries to reduce permissions on two system tables for the database user that is used in the ProductCart database connection string (UID located in the connection string saved to the file includes/storeconstants.as
Instructions
The commands to run in query analyzer are:
deny select on sysobjects to DatabaseUser
deny select on syscolumns to DatabaseUser
& where DatabaseUser corresponds to the UID value in the database connection string in your storeconstants.asp file.
If you are setting up a new store, run these queries after setting up the database.
Troubleshooting
If you receive an error similar to the following:
Msg 4604, Level 16, State 1, Line 1
There is no such user or group 'YOURUSER'.
This is probably due to the fact that the user YOURUSER belongs to the default database role called Public .
You can get around the problem by running the same queries with Public instead of the user name used in the connection string. Therefore, the queries become.
deny select on sysobjects to Public
deny select on syscolumns to Public
I ran the two lines above in the analyzer and lost all the tables. Did I just do something wrong - should I run the 2 lines above again?
Loganathan Natarajan
Well, have a look at, http://www.sitepoint.com/article/sql-injection-attacks-safe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.