Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

SQL Injection question Expand / Collapse
Author
Message
Posted Friday, March 21, 2008 12:28 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Wednesday, January 22, 2014 6:38 AM
Points: 104, Visits: 305
I've read plenty of articles regarding SQL injection with web browsers to understand the dangers & strategies for preventing them, but would like a simple answer to another type of injection. Is it possible for SQL injection to happen with fat client applications? I think the answer is yes, but since I'm not a developer, I'm not certain & would like know. If I'm correct then I need to lean on our developers or help find new tools to automate the testing.

Thanks

:)
Post #473046
Posted Friday, March 21, 2008 12:55 PM


SSCrazy Eights

SSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy Eights

Group: General Forum Members
Last Login: Wednesday, October 15, 2014 9:14 AM
Points: 9,294, Visits: 9,483
Yes, absolutely. and with 3-tier and n-tier apps also.

-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc.
"Performance is our middle name."
Post #473061
Posted Saturday, March 22, 2008 8:54 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 12:34 PM
Points: 31,181, Visits: 15,626
Any application that allows the user to type in data is vulnerable. Only if the application allowed users to click buttons or make pre-set selections would this not be a problem.

Even entering a name in a field, I could enter Jones';shutdown and stop the server if you were vulnerable to Injection.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #473266
Posted Saturday, March 22, 2008 9:06 PM


SSCrazy Eights

SSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy Eights

Group: General Forum Members
Last Login: Wednesday, October 15, 2014 9:14 AM
Points: 9,294, Visits: 9,483
Steve Jones - Editor (3/22/2008)
Any application that allows the user to type in data is vulnerable. Only if the application allowed users to click buttons or make pre-set selections would this not be a problem.

I would not go quite this far, Steve. Rather I would say that any application that allows users to type in text that is eventually used in the construction of strings that are executed as SQL is vulnerable.

The difference being that applications that do allow users to enter data, but only use that data as parameters (via ADO.net parameter objects) to stored procedures that only use them as variables to SQL statements (i.e., never dynamic SQL) should not be vulnerable to SQL injection attacks. Of course not many development environments are that disciplined.


-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc.
"Performance is our middle name."
Post #473274
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse