Database protection against hackers
Hi, Experts,
I just want to know how the hackers can penetrate my database. I am about to lunch my small project called, Daily Time Record (DTR) but I'm doubt the safety of it. The way I used to save the personnel data into my database is something like the code below. I am using Sql8. Is there anything to add to improve and keep away from hackers? Please give me some ideas.. Thanks!
I just want to know how the hackers can penetrate my database. I am about to lunch my small project called, Daily Time Record (DTR) but I'm doubt the safety of it. The way I used to save the personnel data into my database is something like the code below. I am using Sql8. Is there anything to add to improve and keep away from hackers? Please give me some ideas.. Thanks!
<%
On Error Resume Next
dim icode,title,iname,famna
icode = request.querystring("a")
title = request.querystring("b")
iname = request.querystring("c")
famna = request.querystring("d")
db = request.querystring("db")
theServer = request.querystring("sr")
Set cn = Server.CreateObject("ADODB.Connection")
Set rs = Server.CreateObject("ADODB.Recordset")
cn.ConnectionString = "driver={SQL Server};server=" & theServer & ";uid=sa;pwd=3388;database=" & db & ""
cn.Open
If Err.Number <> 0 Then
Response.Write( Err.Number & "|" & Err.Description )
Response.End()
end if
cn.execute("Insert into Personnel(theCode,TheTitle,TheName,TheFamilyName) values('" & _
icode & "','" & title & "','" & replace(iname, "'","''") & "','" & replace(famna, "'","''") & "')")
cn.close
set cn = nothing
response.write("Successfully enrolled new item!")
response.end()
On Error GoTo 0
%>
Lee's comment was first thing I thought about.
If the SA password you published is your real password, change your password now.
That said...
Best database security is to only run a database instance which can be connected to locally (127.0.0.1) + keep your machine secure.
If your database instance runs on a remote machine, then secure all connections with forced SSL (well, really TLS), so all logins + data transfers are encrypted.
Also maybe you mean MySQL 8, rather than SQL8.
If the SA password you published is your real password, change your password now.
That said...
Best database security is to only run a database instance which can be connected to locally (127.0.0.1) + keep your machine secure.
If your database instance runs on a remote machine, then secure all connections with forced SSL (well, really TLS), so all logins + data transfers are encrypted.
Also maybe you mean MySQL 8, rather than SQL8.
ASKER
Thank you Lee, and David. I changed my password already. I am using Microsoft SQL Server 2008 (64-bit). First, I hope you can provide me some ideas how the attackers can penetrate my server machine? I could not understand since all ASP are resides in the Server Machine and they don't know my password. To guess the password is i think is not easy even 4 digits combination. Hope you can provide some ideas so that I could understand. Thank you!
Few points to consider:
• Provide Secure Authentication.
• Change all database accounts and passwords that were provided by default with the database installation.
• Disable or remove all database functionality unneeded by the application.
• Delete all unnecessary default vendor content and schemas.
• Use strongly typed parameterized queries, stored procedures, and input validation to protect database access from injection attacks.
• Configure your application to use the lowest possible level of privilege when accessing the database.
• Do not hard-code connection strings containing cleartext credentials.
• Close the connection as soon as possible after use.
• Encrypt all sensitive data at rest and in transit.
• Minimize data collection.
• Manual code review and testing is a must.
• Apply secure software development.
• Apply threat modeling to identify and rank your threats.
https://www.experts-exchange.com/articles/33330/Threat-Modeling-Process-Basics-and-Purpose.html
https://www.experts-exchange.com/articles/33288/Secure-SDLC-Principles-and-Practices.html
• Provide Secure Authentication.
• Change all database accounts and passwords that were provided by default with the database installation.
• Disable or remove all database functionality unneeded by the application.
• Delete all unnecessary default vendor content and schemas.
• Use strongly typed parameterized queries, stored procedures, and input validation to protect database access from injection attacks.
• Configure your application to use the lowest possible level of privilege when accessing the database.
• Do not hard-code connection strings containing cleartext credentials.
• Close the connection as soon as possible after use.
• Encrypt all sensitive data at rest and in transit.
• Minimize data collection.
• Manual code review and testing is a must.
• Apply secure software development.
• Apply threat modeling to identify and rank your threats.
https://www.experts-exchange.com/articles/33330/Threat-Modeling-Process-Basics-and-Purpose.html
https://www.experts-exchange.com/articles/33288/Secure-SDLC-Principles-and-Practices.html
1. Read the userid and pwd from a local/network file and change it often. Passwords should be long and not related to one another. GUIDs make for good passwords.
2. Clean the string values you read before using them. You are open to SQL injection.
3. Consider invoking a stored procedure rather than creating and executing your own SQL.
4. I'm not sure that your Replace() functions will protect you the way you might have intended. If someone enters a string that contains a quote character, your execute() method will fail.
2. Clean the string values you read before using them. You are open to SQL injection.
3. Consider invoking a stored procedure rather than creating and executing your own SQL.
4. I'm not sure that your Replace() functions will protect you the way you might have intended. If someone enters a string that contains a quote character, your execute() method will fail.
SQL Server 2008 is now 11 years old and out of support.
Strongly suggest you adopt a later, supported, version.
(lingering security vulnerabilities are not being assessed/fixed for unsupported versions)
see: https://www.cvedetails.com/version-list/26/251/1/Microsoft-Sql-Server.html
Strongly suggest you adopt a later, supported, version.
(lingering security vulnerabilities are not being assessed/fixed for unsupported versions)
see: https://www.cvedetails.com/version-list/26/251/1/Microsoft-Sql-Server.html
Read the userid and pwd from a local/network file and change it often.Rather execute the code in the context of the application pool user account
GUIDs make for good passwordsA random password of the same length is exponentially stronger than a password derived from a GUID that only contains 0-9 and A-F
You said, "how can attackers can penetrate my server machine?"
Depends on what software is running on the machine + how you secure your software.
To reword my comments above. Here's how to secure your machine.
1) If you run a database instance which has a public IP exposed, then you must wrap all connections in an SSL/TLS cert.
If you do not, anyone can scrape your user/pass login off the wire + potentially access your machine.
2) If you run a database instance which has a public IP exposed, also best to ACL the incoming connection so only whitelisted IPs can connect to your database machine IP.
3) Best security, is run your database instance on the same machine as your App, where App is the database user, like WordPress PHP files. Then secure this machine well.
Machine security is only as good as your starting software + how you managed your updates + keep your machine locked down.
Keep in mind https://blogs.msdn.microso
So your building a project on SQL 2008... well... I'd start with a supported version first.
Same applies to your OS version. For example, if you're running a version of Windows which is EOL (End Of Life), then you may be running a hackable OS. There's no way to secure a OS version with known backdoors any hacker can access.
Security Rule #1 - Only use currently supported software + install updates as soon as they release.
Depends on what software is running on the machine + how you secure your software.
To reword my comments above. Here's how to secure your machine.
1) If you run a database instance which has a public IP exposed, then you must wrap all connections in an SSL/TLS cert.
If you do not, anyone can scrape your user/pass login off the wire + potentially access your machine.
2) If you run a database instance which has a public IP exposed, also best to ACL the incoming connection so only whitelisted IPs can connect to your database machine IP.
3) Best security, is run your database instance on the same machine as your App, where App is the database user, like WordPress PHP files. Then secure this machine well.
Machine security is only as good as your starting software + how you managed your updates + keep your machine locked down.
Keep in mind https://blogs.msdn.microso
So your building a project on SQL 2008... well... I'd start with a supported version first.
Same applies to your OS version. For example, if you're running a version of Windows which is EOL (End Of Life), then you may be running a hackable OS. There's no way to secure a OS version with known backdoors any hacker can access.
Security Rule #1 - Only use currently supported software + install updates as soon as they release.
Going back to just looking at your code, the major issue is you are adding data to your database with only using basic filtering of potentially bad data and not using a parameterized query.
Here is an article by Wayne and a solution by myself. Both look like they used code generated from dreamweaver but are good examples. The key is, in your insert statement, you are replacing the values with question marks. Then defining what the place holders are such as numeric, variable character with a maximum length. If you do nothing else, going to a parameterized insert statement will be the number one thing to change in your code.
https://www.experts-exchange.com/articles/3626/ASP-Classic-Using-Parameterized-Queries.html
https://www.experts-exchange.com/questions/27742744/INSERT-to-multiple-tables.html?anchorAnswerId=38044084#a38044084
icode = request.querystring("a")
':
':
cn.execute("Insert into Personnel(theCode,TheTitle,TheName,TheFamilyName) values('" & _
icode & "','" & title & "','" & replace(iname, "'","''") & "','" & replace(famna, "'","''") & "')")Here is an article by Wayne and a solution by myself. Both look like they used code generated from dreamweaver but are good examples. The key is, in your insert statement, you are replacing the values with question marks. Then defining what the place holders are such as numeric, variable character with a maximum length. If you do nothing else, going to a parameterized insert statement will be the number one thing to change in your code.
https://www.experts-exchange.com/articles/3626/ASP-Classic-Using-Parameterized-Queries.html
https://www.experts-exchange.com/questions/27742744/INSERT-to-multiple-tables.html?anchorAnswerId=38044084#a38044084
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Second, I've never heard of SQL8 (I use Microsoft SQL and MySQL for my databases), but in general, when working with SQL and Web applications, you want to use stored procedures to perform all your database interactions. This is much more effective against SQL injection attacks.