Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

Vulnerable to SQL Injection third-party API Expand / Collapse
Author
Message
Posted Thursday, January 30, 2014 1:47 PM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Thursday, July 24, 2014 8:41 AM
Points: 861, Visits: 2,357
Cadavre (1/30/2014)

To be honest here guys, I don't think there's a whole lot more I can do.


Then write it up and send it out to your manager and the corporate legal, corporate compliance, and corporate security teams so you can pull out the printout you keep at home of the heads up you gave everyone after there's a breach. And update your resume.
Post #1536543
Posted Thursday, January 30, 2014 3:19 PM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Friday, July 25, 2014 3:21 PM
Points: 252, Visits: 1,357
Can you isolate the database on a different machine and treat it like a machine on the other size of the dmz?

Post #1536568
Posted Friday, January 31, 2014 3:31 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 5:53 PM
Points: 33,063, Visits: 15,179
If you know how the API is broken, what about an article here? Write this up, don't mention the company, or use their API, but show how a similar API scheme or implementation, is broken.

I bet you'd get lots of good supporting comments that might worry the company.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1537009
Posted Tuesday, February 4, 2014 2:36 PM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Thursday, July 24, 2014 2:26 PM
Points: 2,422, Visits: 7,437
Steve Jones - SSC Editor (1/31/2014)
If you know how the API is broken, what about an article here? Write this up, don't mention the company, or use their API, but show how a similar API scheme or implementation, is broken.

I bet you'd get lots of good supporting comments that might worry the company.


Maybe that'd work, I'll have a think about it.



Not a DBA, just trying to learn

For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/

For better, quicker answers on SQL Server performance related questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/



If you litter your database queries with nolock query hints, are you aware of the side effects?
Try reading a few of these links...

(*) Missing rows with nolock
(*) Allocation order scans with nolock
(*) Consistency issues with nolock
(*) Transient Corruption Errors in SQL Server error log caused by nolock
(*) Dirty reads, read errors, reading rows twice and missing rows with nolock


LinkedIn | Blog coming soon (for sufficiently large values of "soon" )!
Post #1537951
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse