Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

SQL Injection! Expand / Collapse
Author
Message
Posted Sunday, February 01, 2004 10:09 AM
UDP Broadcaster

UDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP Broadcaster

Group: General Forum Members
Last Login: Saturday, February 28, 2009 6:51 AM
Points: 1,489, Visits: 7
Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/chedgate/sqlinject



--
Chris Hedgate
http://www.hedgate.net/
Contributor to the Best of SQL Server Central volumes
Articles: http://www.sqlservercentral.com/columnists/chedgate/
Post #98261
Posted Monday, February 02, 2004 4:40 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 1:09 AM
Points: 2,863, Visits: 1,703

I think this also illustrates why DBA's need to included in development and why code must be vetted by someone competent to do so.

If you are going to use the command object then you can go one better and wrap it all up in a DLL.

In addition to the SQL Injection attack protection you are running compiled code.

I have seen cases where tweaking IIS caused ASP to start spewing out either hacker friendly error messages or in one case ASP source code complete with connection strings.



LinkedIn Profile
Newbie on www.simple-talk.com
Post #98289
Posted Monday, February 02, 2004 8:05 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Thursday, April 03, 2014 10:06 PM
Points: 6,621, Visits: 1,851

Don't forget about the Open Web Application Security Project has another great source:

http://www.owasp.org/

 



K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #98329
Posted Monday, February 02, 2004 12:34 PM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, March 13, 2014 10:40 AM
Points: 1,035, Visits: 408

Good information, thank you Chris. 

As a DBA SQL Injection is one of my big concerns.  My biggest problem usually lies in getting our developers to appreciate that it's a real problem that they need to be constantly aware of.

By limiting (eliminating) all direct grants at the table level and forcing all access through stored procedures, we can go quite a long way to safeguard our data.  As Chris points out, stored procs, by themselves, don't eliminate the threat, but if all access is controlled through them, an attacker will not be able to do, or see, anything in the database that isn't specifically allowed anyway.




/*****************

If most people are not willing to see the difficulty, this is mainly because, consciously or unconsciously, they assume that it will be they who will settle these questions for the others, and because they are convinced of their own capacity to do this. -Friedrich August von Hayek



*****************/
Post #98366
Posted Monday, February 02, 2004 1:54 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Thursday, April 03, 2014 10:06 PM
Points: 6,621, Visits: 1,851

Well... with cross-database ownership chaining, there is still quite a bit of recon an intruder can do. Hence the reason to use Command objects or the equivalent thereof as well as stringent input validation.

 



K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #98401
Posted Monday, February 02, 2004 3:17 PM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, March 13, 2014 10:40 AM
Points: 1,035, Visits: 408

True enough, but as a rule we don't allow cross-database ownership chaining.  That, combined with locking down master as much as possible helps mitigate that threat.

I was not implying that forcing the use of sp's eliminates the risk, but as a DBA I'm not willing to just leave it all in the developer's hands either...  The problem should be attacked at both ends.




/*****************

If most people are not willing to see the difficulty, this is mainly because, consciously or unconsciously, they assume that it will be they who will settle these questions for the others, and because they are convinced of their own capacity to do this. -Friedrich August von Hayek



*****************/
Post #98412
Posted Tuesday, February 03, 2004 9:50 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Tuesday, October 08, 2013 2:59 PM
Points: 383, Visits: 57

Database Administrators should also be invloved in the development of organisational standards for software development. In my organisation we have a document that details the programming standards, and this includes standards for accessing databases. Code reviews help ensure that developers adhere to these standards.

We also have a library which all user-input is passed through and casted to the correct data type. All developers are obliged to use this library.



Keith
Post #98526
Posted Tuesday, February 03, 2004 9:50 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Tuesday, October 08, 2013 2:59 PM
Points: 383, Visits: 57

Database Administrators should also be invloved in the development of organisational standards for software development. In my organisation we have a document that details the programming standards, and this includes standards for accessing databases. Code reviews help ensure that developers adhere to these standards.

We also have a library which all user-input is passed through and casted to the correct data type. All developers are obliged to use this library.



Keith
Post #98527
Posted Tuesday, February 03, 2004 9:52 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Tuesday, October 08, 2013 2:59 PM
Points: 383, Visits: 57

Database Administrators should also be invloved in the development of organisational standards for software development. In my organisation we have a document that details the programming standards, and this includes standards for accessing databases. Code reviews help ensure that developers adhere to these standards.

We also have a library which all end-user input is passed through and casted to the correct data type. All developers are obliged to use this library.

Sorry about the multiple posts - I kept on getting an error message each time I posted saying there was a problem casting from DBNull to a string - didn't realise that the post was succeeding each time.



Keith
Post #98529
Posted Tuesday, February 03, 2004 11:08 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Thursday, April 03, 2014 10:06 PM
Points: 6,621, Visits: 1,851

If you really lock down master, then true, you've mitigated most of the rest. Most folks don't think to do this, unfortunately.

 



K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #98551
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse