Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SQL Admins best practices against SQL injection

Posted on 2011-09-07
4
Medium Priority
?
276 Views
Last Modified: 2012-05-12
QUESTION 1: What can my SQL admins do to prevent and Identify SQL Injection vulnerabilities?  
0
Comment
Question by:DEFclub
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 8

Accepted Solution

by:
Toxacon earned 668 total points
ID: 36497465
There isn't much you can do at the T-SQL level because the injections are legal SQL queries and therefore it is very difficult to stop them at the SQL server itself.
0
 
LVL 6

Assisted Solution

by:markterry
markterry earned 664 total points
ID: 36497511
Several things, basically you need to clean the input. Use procedures to both clean input, and prevent unwanted data types.

If you have a query like the following, where you append the value of an input box into the query:
Select Column1, column2 from table where column like 'value from input box'

the injector could use this input:
' UNION ALL Select column_Name, table_name from information_Schema.columns

That would append a list of columns and table names to the results, and they could use that info to write further queries.

Using a stored procedure, that would come in all as text, and the query would fail.

You can also strip unwanted characters.

see below for more info.

SQL Injection Overview'
MS SQL Injection Best Practices with ASP.NET
0
 
LVL 8

Assisted Solution

by:venk_r
venk_r earned 668 total points
ID: 36497554
We can atleast follow certain guidelines to prevent SQL Injection.
Please take a look athis article.
http://www.marcofolio.net/features/how_you_can_prevent_an_sql_injection.html

Also some recomendations from microsoft
http://technet.microsoft.com/en-us/security/advisory/954462
0
 

Author Closing Comment

by:DEFclub
ID: 36499637
thxs
0

Featured Post

Will your db performance match your db growth?

In Percona’s white paper “Performance at Scale: Keeping Your Database on Its Toes,” we take a high-level approach to what you need to think about when planning for database scalability.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
Via a live example, show how to shrink a transaction log file down to a reasonable size.

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question