SQL INJECTION

SQLServerCentral is supported by Red Gate Software Ltd.

Popular Topics

Home

Members

Calendar

Who's On

Home » SQL Server 2005 » SQL Server 2005 Security » SQL INJECTION

SQL INJECTION

Rate Topic

Display Mode

Topic Options

Author

Message

m_belhocine

Posted Thursday, November 05, 2009 3:46 AM

Forum Newbie

Group: General Forum Members
Last Login: Tuesday, March 19, 2013 12:30 AM
Points: 8, Visits: 154

Hi,

how to prevent injection with trigger ? it's possible ?

many thanks,

Post #814102

Brandie Tarvin

Posted Thursday, November 05, 2009 5:02 AM

SSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 12:35 PM
Points: 6,650, Visits: 5,666

Not quite sure what you're asking. Do you mean you want to create a trigger that looks at the input before anything happens so you can verify there's no SQL in it? Or do you mean something else?

SQL 2005 has some built in "injection prevention" already and there are ways to validate input on the front end before the input gets to the server. Is there a reason why you can't use input validation?

EDIT: Before I get jumped on by others, I should clarify the above statement. SQL 2005 does *not prevent* SQL Injection attacks if you leave room for them. However, there are tools in 2k5 that assist in preventing them if you use the tools correctly. Look up "SQL Injection" in BOL for more details. And if I can find the specific reference from my training book on 2k5 (the "Updating your DB skills" course offered by New Horizons), I'll post it.

Brandie Tarvin, MCITP Database Administrator, MCDBA, MCSA

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

Post #814130

m_belhocine

Posted Thursday, November 05, 2009 5:16 AM

Forum Newbie

Group: General Forum Members
Last Login: Tuesday, March 19, 2013 12:30 AM
Points: 8, Visits: 154

I already have a script anti injection in ASP, ASPX I would like to trigger an anti Injection

Post #814139

Brandie Tarvin

Posted Thursday, November 05, 2009 5:22 AM

SSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 12:35 PM
Points: 6,650, Visits: 5,666

I'm sorry, but I'm still not clear on what you want to accomplish. Could you be more detailed?

Brandie Tarvin, MCITP Database Administrator, MCDBA, MCSA

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

Post #814146

Scott Coleman

Posted Friday, November 06, 2009 10:43 AM

SSCrazy

Group: General Forum Members
Last Login: 2 days ago @ 11:38 AM
Points: 2,818, Visits: 1,037

Triggers react to DML and DDL events. If some code is suceptible to SQL injection attacks, you would have to predict the form of every possible attact to write triggers for them.

You prevent SQL injection by using methods that don't permit user-entered text to be executed as commands. Triggers are reactive, they won't run until the attack has already succeeded.

Post #815078

Florian Reischl

Posted Friday, November 06, 2009 11:06 AM

SSCrazy

Group: General Forum Members
Last Login: Sunday, November 04, 2012 12:23 PM
Points: 2,087, Visits: 3,932

Very generic question...

First and best way to prevent any SQL injection:
* Don't allow clients to create dynamic SQL. Secure the complete database with a stored procedures interface
* Do not use any dynamic SQL within those procedures.

For new-school client technologies:
Today O/R-Mapper frameworks become more and more common. Use well known frameworks like (N)Hibernate or Entity Framework. The large frameworks always ensure a correct and not injectable SQL. Don't use rebel frameworks. Don't use the custom SQL features (if any) of these frameworks.

More optimistic prevention (which still can work):
If you don't use a O/R-Mapper and your client apps generate dynamic SQL statements. Tell the developers never to add values as strings. Always use the data provider interfaces like SqlCommand objects in .NET

Greets
Flo

The more I learn, the more I know what I do not know
Blog: Things about Software Architecture, .NET development and T-SQL

How to Post Data/Code to get the best Help How to Post Performance Problems

Post #815093

GSquared

Posted Friday, November 06, 2009 11:12 AM

SSCoach

Group: General Forum Members
Last Login: Monday, May 06, 2013 1:09 PM
Points: 15,439, Visits: 9,569

Triggers are not the right tool to use to prevent SQL injection. By the time the code has fired off a trigger, it's WAY too late to be preventing injection.

Injection attacks are more likely to be about selecting data (to steal it) than to be about updating data. Triggers can't fire on selects.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon

Post #815096

m_belhocine

Posted Saturday, November 07, 2009 4:48 AM

Forum Newbie

Group: General Forum Members
Last Login: Tuesday, March 19, 2013 12:30 AM
Points: 8, Visits: 154

Many thanks... Smile

Post #815387

« Prev Topic | Next Topic »

Permissions