SQL Injection question

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 2005 » SQL Server 2005 Security » SQL Injection question

SQL Injection question

Rate Topic

Display Mode

Topic Options

Author

Message

BigSam

Posted Friday, March 21, 2008 12:28 PM

SSC Journeyman

Group: General Forum Members
Last Login: Tuesday, May 14, 2013 7:46 AM
Points: 96, Visits: 272

I've read plenty of articles regarding SQL injection with web browsers to understand the dangers & strategies for preventing them, but would like a simple answer to another type of injection. Is it possible for SQL injection to happen with fat client applications? I think the answer is yes, but since I'm not a developer, I'm not certain & would like know. If I'm correct then I need to lean on our developers or help find new tools to automate the testing.

Thanks

:)

Post #473046

RBarryYoung

Posted Friday, March 21, 2008 12:55 PM

SSCrazy Eights

Group: General Forum Members
Last Login: Saturday, May 04, 2013 11:13 AM
Points: 9,855, Visits: 9,374

Yes, absolutely. and with 3-tier and n-tier apps also.

-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc. "Performance is our middle name."

Post #473061

Steve Jones - SSC Editor

Posted Saturday, March 22, 2008 8:54 PM

SSC-Dedicated

Group: Administrators
Last Login: Today @ 10:48 AM
Points: 31,412, Visits: 13,729

Any application that allows the user to type in data is vulnerable. Only if the application allowed users to click buttons or make pre-set selections would this not be a problem.

Even entering a name in a field, I could enter Jones';shutdown and stop the server if you were vulnerable to Injection.

Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help

Post #473266

RBarryYoung

Posted Saturday, March 22, 2008 9:06 PM

SSCrazy Eights

Group: General Forum Members
Last Login: Saturday, May 04, 2013 11:13 AM
Points: 9,855, Visits: 9,374

Steve Jones - Editor (3/22/2008)

Any application that allows the user to type in data is vulnerable. Only if the application allowed users to click buttons or make pre-set selections would this not be a problem.

I would not go quite this far, Steve. Rather I would say that any application that allows users to type in text that is eventually used in the construction of strings that are executed as SQL is vulnerable.

The difference being that applications that do allow users to enter data, but only use that data as parameters (via ADO.net parameter objects) to stored procedures that only use them as variables to SQL statements (i.e., never dynamic SQL) should not be vulnerable to SQL injection attacks. Of course not many development environments are that disciplined.

-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc. "Performance is our middle name."

Post #473274

« Prev Topic | Next Topic »

Permissions