Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

SQL INJECTION Expand / Collapse
Author
Message
Posted Thursday, November 5, 2009 3:46 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: 2 days ago @ 11:11 PM
Points: 8, Visits: 171
Hi,

how to prevent injection with trigger ? it's possible ?

many thanks,
Post #814102
Posted Thursday, November 5, 2009 5:02 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Friday, November 21, 2014 12:12 PM
Points: 5,615, Visits: 6,413
Not quite sure what you're asking. Do you mean you want to create a trigger that looks at the input before anything happens so you can verify there's no SQL in it? Or do you mean something else?

SQL 2005 has some built in "injection prevention" already and there are ways to validate input on the front end before the input gets to the server. Is there a reason why you can't use input validation?

EDIT: Before I get jumped on by others, I should clarify the above statement. SQL 2005 does *not prevent* SQL Injection attacks if you leave room for them. However, there are tools in 2k5 that assist in preventing them if you use the tools correctly. Look up "SQL Injection" in BOL for more details. And if I can find the specific reference from my training book on 2k5 (the "Updating your DB skills" course offered by New Horizons), I'll post it.


Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #814130
Posted Thursday, November 5, 2009 5:16 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: 2 days ago @ 11:11 PM
Points: 8, Visits: 171
I already have a script anti injection in ASP, ASPX I would like to trigger an anti Injection
Post #814139
Posted Thursday, November 5, 2009 5:22 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Friday, November 21, 2014 12:12 PM
Points: 5,615, Visits: 6,413
I'm sorry, but I'm still not clear on what you want to accomplish. Could you be more detailed?


Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #814146
Posted Friday, November 6, 2009 10:43 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Tuesday, November 4, 2014 1:50 PM
Points: 2,845, Visits: 1,160
Triggers react to DML and DDL events. If some code is suceptible to SQL injection attacks, you would have to predict the form of every possible attact to write triggers for them.

You prevent SQL injection by using methods that don't permit user-entered text to be executed as commands. Triggers are reactive, they won't run until the attack has already succeeded.



Post #815078
Posted Friday, November 6, 2009 11:06 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Sunday, November 4, 2012 12:23 PM
Points: 1,893, Visits: 3,932
Very generic question...

First and best way to prevent any SQL injection:
* Don't allow clients to create dynamic SQL. Secure the complete database with a stored procedures interface
* Do not use any dynamic SQL within those procedures.

For new-school client technologies:
Today O/R-Mapper frameworks become more and more common. Use well known frameworks like (N)Hibernate or Entity Framework. The large frameworks always ensure a correct and not injectable SQL. Don't use rebel frameworks. Don't use the custom SQL features (if any) of these frameworks.

More optimistic prevention (which still can work):
If you don't use a O/R-Mapper and your client apps generate dynamic SQL statements. Tell the developers never to add values as strings. Always use the data provider interfaces like SqlCommand objects in .NET

Greets
Flo



The more I learn, the more I know what I do not know
Blog: Things about Software Architecture, .NET development and T-SQL

How to Post Data/Code to get the best Help How to Post Performance Problems
Post #815093
Posted Friday, November 6, 2009 11:12 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Monday, November 17, 2014 12:50 PM
Points: 13,872, Visits: 9,598
Triggers are not the right tool to use to prevent SQL injection. By the time the code has fired off a trigger, it's WAY too late to be preventing injection.

Injection attacks are more likely to be about selecting data (to steal it) than to be about updating data. Triggers can't fire on selects.


- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #815096
Posted Saturday, November 7, 2009 4:48 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: 2 days ago @ 11:11 PM
Points: 8, Visits: 171
Many thanks...
Post #815387
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse