Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««123»»

Secure Programming Expand / Collapse
Author
Message
Posted Thursday, March 19, 2009 9:45 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Friday, August 1, 2014 4:13 AM
Points: 67, Visits: 715
Constants aren't and variables do...

There is no problem so great that it can not be solved by caffeine and chocolate.
Post #679577
Posted Thursday, March 19, 2009 10:28 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Friday, August 10, 2012 6:08 PM
Points: 1,156, Visits: 801
Too many web developers I have met do not understand even half of the items in the top 25 list...

And if they don't get it, management certainly does not within those same organizations.
Post #679637
Posted Thursday, March 19, 2009 10:52 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Thursday, February 6, 2014 12:59 PM
Points: 801, Visits: 1,962
Ian Brown (3/19/2009)
Constants aren't and variables do...


What language is it where
1 = 2

is supported?



ATB

Charles Kincaid

Post #679666
Posted Thursday, March 19, 2009 11:56 AM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Monday, June 24, 2013 11:26 AM
Points: 208, Visits: 380
Charles Kincaid (3/19/2009)
Ian Brown (3/19/2009)
Constants aren't and variables do...


What language is it where
1 = 2

is supported?



I've forgotten enough COBOL that I can't recall if it worked there, but I'm pretty sure that's true and easy to explain in Perl (for small values of easy).
Post #679745
Posted Thursday, March 19, 2009 12:28 PM


SSCrazy Eights

SSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy Eights

Group: General Forum Members
Last Login: Thursday, June 5, 2014 10:54 AM
Points: 9,902, Visits: 9,480
Charles Kincaid (3/19/2009)
Ian Brown (3/19/2009)
Constants aren't and variables do...


What language is it where
1 = 2

is supported?


The issue isn't whether it's supported in some language, the issue is whether it happens in that language.


-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc.
"Performance is our middle name."
Post #679774
Posted Thursday, March 19, 2009 12:33 PM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 6:41 PM
Points: 1,733, Visits: 1,071
I like Charles's list as well and am kind of an extremist too. The solution to solving SQL Injection attacks is simply for every RDBMS system to flat out not allow inline SQL. Everything must be done with stored procedures and parameters.

I first heard about SQL Injection back in like 1997 or 1998. It amazes me how big of a topic it still is today and how many problems it still causes. Ridiculous!



Post #679777
Posted Thursday, March 19, 2009 12:53 PM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 7:57 AM
Points: 43,045, Visits: 36,205
kevin77 (3/19/2009)
The solution to solving SQL Injection attacks is simply for every RDBMS system to flat out not allow inline SQL. Everything must be done with stored procedures and parameters.


Even that's not sufficient. I spent a good couple hours explaining to a fairly experienced web developer why this is vulnerable to injection, regardless of what the procedure does.

Pseudo C# code:

SqlCommand cmd = new SqlCommand();
cmd.CommandText = "Exec SomeProcedure @Param1 = '" + txtSomeValue.ToString() + "', @Param2 = '" + txtSomeOtherValue.ToString() + "';"
cmd.ExecuteNonReader();

And don't forget the nicely parameterised stored procedure that goes and builds up a SQL string with those parameters and EXECs it.

No inline SQL
All stored procedure calls must be properly parameterised
Any dynamic SQL within said procedures must be properly parameterised and must not include values from the front end or from the database.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #679798
Posted Thursday, March 19, 2009 1:07 PM


Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Yesterday @ 6:14 PM
Points: 58, Visits: 680
Seems like Charles' list touches a chord.

I too am surprised at how common SQL injection vulnerabilities (still) are. Having recently implemented an EDRMS system, our supplier provided a small addin to integrate with another system. I knew they would be taking values from a form to query a database and my first test was for SQL injection - I don't need to tell you it failed. They fixed it straight away, but these are supposedly professional developers, who do this sort of work for a living. Such tests should be part of any good QA regime and never make it off the factory floor.


Chris
Post #679819
Posted Thursday, March 19, 2009 2:12 PM


SSCrazy Eights

SSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy EightsSSCrazy Eights

Group: General Forum Members
Last Login: Thursday, June 5, 2014 10:54 AM
Points: 9,902, Visits: 9,480
GilaMonster (3/19/2009)
kevin77 (3/19/2009)
The solution to solving SQL Injection attacks is simply for every RDBMS system to flat out not allow inline SQL. Everything must be done with stored procedures and parameters.


Even that's not sufficient. I spent a good couple hours explaining to a fairly experienced web developer why this is vulnerable to injection, regardless of what the procedure does.

Pseudo C# code:

SqlCommand cmd = new SqlCommand();
cmd.CommandText = "Exec SomeProcedure @Param1 = '" + txtSomeValue.ToString() + "', @Param2 = '" + txtSomeOtherValue.ToString() + "';"
cmd.ExecuteNonReader();

And don't forget the nicely parameterised stored procedure that goes and builds up a SQL string with those parameters and EXECs it.

No inline SQL
All stored procedure calls must be properly parameterised
Any dynamic SQL within said procedures must be properly parameterised and must not include values from the front end or from the database.

Right, Gail. One of the most often missed points in discussions about SQL Injection is that the injection can happen on the Client side as well as the server side.


-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc.
"Performance is our middle name."
Post #679897
Posted Thursday, March 19, 2009 8:48 PM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Today @ 10:22 AM
Points: 3,433, Visits: 14,430
I am late to this but Microsoft have improved the System.Security.Cryptography class with the implementation of the new Elliptic Curve Diffie-Hellman classes which are more secure than the previous version. This will improve application layer encryption so all that is needed is improved SQL Server based encryption.

The reason is these classes cannot be used for CLR assembly so there must be a solution for the persisted data in SQL Server.

http://blogs.msdn.com/shawnfa/archive/2007/01/22/elliptic-curve-diffie-hellman.aspx


Elliptic Curve is modular Taniyama-Shimura


Kind regards,
Gift Peddie
Post #680100
« Prev Topic | Next Topic »

Add to briefcase ««123»»

Permissions Expand / Collapse