Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

SQL Admins best practices against SQL injection

QUESTION 1: What can my SQL admins do to prevent and Identify SQL Injection vulnerabilities?  
0
DEFclub
Asked:
DEFclub
3 Solutions
 
ToxaconCommented:
There isn't much you can do at the T-SQL level because the injections are legal SQL queries and therefore it is very difficult to stop them at the SQL server itself.
0
 
markterryCommented:
Several things, basically you need to clean the input. Use procedures to both clean input, and prevent unwanted data types.

If you have a query like the following, where you append the value of an input box into the query:
Select Column1, column2 from table where column like 'value from input box'

the injector could use this input:
' UNION ALL Select column_Name, table_name from information_Schema.columns

That would append a list of columns and table names to the results, and they could use that info to write further queries.

Using a stored procedure, that would come in all as text, and the query would fail.

You can also strip unwanted characters.

see below for more info.

SQL Injection Overview'
MS SQL Injection Best Practices with ASP.NET
0
 
venk_rCommented:
We can atleast follow certain guidelines to prevent SQL Injection.
Please take a look athis article.
http://www.marcofolio.net/features/how_you_can_prevent_an_sql_injection.html

Also some recomendations from microsoft
http://technet.microsoft.com/en-us/security/advisory/954462
0
 
DEFclubAuthor Commented:
thxs
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now