We help IT Professionals succeed at work.

how to prevent the MS SQL 2000 database from data injection attack

lilyyan
lilyyan asked
on
274 Views
Last Modified: 2013-12-12
hello:

i'm using php and ms sql 2000. a few days ago,  the tables get attacked.  the data in the table is inserted some wired string.

i serached online, it seems that using parepared statemment can prevert this attack. not so sure how to use the prepared statment and its requirement?

could some expert here have some suggestion about data injection attack on ms sql 2000?

thank you so much!
Comment
Watch Question

CERTIFIED EXPERT
Awarded 2008
Awarded 2008

Commented:
Use stored procedures for all interaction from your web code to the database...and validate ALL input coming from your web pages.

Author

Commented:
may you post an example for using stored procedures, i don't know how to do that....

thank you so much !
CERTIFIED EXPERT
Awarded 2008
Awarded 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
thank much for your reply.
do you think using parepared statemment can prevert this attack?
CERTIFIED EXPERT
Awarded 2008
Awarded 2008

Commented:
potentially...

Author

Commented:
may you explain why the prepared statement can prevent data injection?

also you mentioned that validate every input. how to validate input could provent data injection ?

last question:
how data injection is envoked?

thank so much !
CERTIFIED EXPERT
Awarded 2008
Awarded 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
may you explain a little  how can data injection happen?
CERTIFIED EXPERT
Awarded 2008
Awarded 2008
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
may you explain why the prepared statement can prevent data injection?
CERTIFIED EXPERT
Awarded 2008
Awarded 2008

Commented:
what doyou mean?

Author

Commented:
well, i don't know how prepared statement can prevent data injection?

 i thought, it is just a placeholder in the statement. and the value of the placeholder will be replaced by the form variable. and the form variable input by a random user, this user can input the bad sql from the form.  so the placeholder in the prepared statament still get the embedded sql

so i don't know how prepared statement can prevent data injection?
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.