Link to home
Start Free TrialLog in
Avatar of avaj

asked on

SQL Injection and Database permissions

My site was recently attacked with an sql injection.  I have followd the shopping carts steps to hopefully prevent further attacks (is there a way to test this?); the shopping cart also recommends that I change the db permissions.  I tried their recommendation but then lost the data base tables (have since had them restored by hosting company).  I am about to put the site back on but would like to know if I should first do what shopping cart suggested:

Run the following two queries to reduce permissions on two system tables for the database user that is used in the ProductCart database connection string (UID located in the connection string saved to the file includes/storeconstants.asp). This measure can prevent the execution of certain types of SQL injection attacks, should vulnerable code exist in the ASP source code.

The commands to run in query analyzer are:

deny select on sysobjects to DatabaseUser
deny select on syscolumns to DatabaseUser
& where DatabaseUser corresponds to the UID value in the database connection string in your storeconstants.asp file.

If you are setting up a new  store, run these queries after setting up the  database.

If you receive an error similar to the following:

Msg 4604, Level 16, State 1, Line 1

There is no such user or group 'YOURUSER'.
This is probably due to the fact that the user YOURUSER belongs to the default database role called Public.

You can get around the problem by running the same queries with Public instead of the user name used in the connection string. Therefore, the queries become.

deny select on sysobjects to Public
deny select on syscolumns to Public

I ran the two lines above in the analyzer and lost all the tables.  Did I just do something wrong - should I run the 2 lines above again?
Avatar of Loganathan Natarajan
Loganathan Natarajan
Flag of India image

Avatar of avaj

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial