SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SQL Injection question


SQL Injection question

Author
Message
BigSam
BigSam
Say Hey Kid
Say Hey Kid (708 reputation)Say Hey Kid (708 reputation)Say Hey Kid (708 reputation)Say Hey Kid (708 reputation)Say Hey Kid (708 reputation)Say Hey Kid (708 reputation)Say Hey Kid (708 reputation)Say Hey Kid (708 reputation)

Group: General Forum Members
Points: 708 Visits: 305
I've read plenty of articles regarding SQL injection with web browsers to understand the dangers & strategies for preventing them, but would like a simple answer to another type of injection. Is it possible for SQL injection to happen with fat client applications? I think the answer is yes, but since I'm not a developer, I'm not certain & would like know. If I'm correct then I need to lean on our developers or help find new tools to automate the testing.

Thanks

Smile
RBarryYoung
RBarryYoung
SSC Guru
SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)

Group: General Forum Members
Points: 55216 Visits: 9518
Yes, absolutely. and with 3-tier and n-tier apps also.

-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc.
"Performance is our middle name."
Steve Jones
Steve Jones
SSC Guru
SSC Guru (224K reputation)SSC Guru (224K reputation)SSC Guru (224K reputation)SSC Guru (224K reputation)SSC Guru (224K reputation)SSC Guru (224K reputation)SSC Guru (224K reputation)SSC Guru (224K reputation)

Group: Administrators
Points: 224543 Visits: 19637
Any application that allows the user to type in data is vulnerable. Only if the application allowed users to click buttons or make pre-set selections would this not be a problem.

Even entering a name in a field, I could enter Jones';shutdown and stop the server if you were vulnerable to Injection.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
RBarryYoung
RBarryYoung
SSC Guru
SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)SSC Guru (55K reputation)

Group: General Forum Members
Points: 55216 Visits: 9518
Steve Jones - Editor (3/22/2008)
Any application that allows the user to type in data is vulnerable. Only if the application allowed users to click buttons or make pre-set selections would this not be a problem.

I would not go quite this far, Steve. Rather I would say that any application that allows users to type in text that is eventually used in the construction of strings that are executed as SQL is vulnerable.

The difference being that applications that do allow users to enter data, but only use that data as parameters (via ADO.net parameter objects) to stored procedures that only use them as variables to SQL statements (i.e., never dynamic SQL) should not be vulnerable to SQL injection attacks. Of course not many development environments are that disciplined.

-- RBarryYoung, (302)375-0451 blog: MovingSQL.com, Twitter: @RBarryYoung
Proactive Performance Solutions, Inc.
"Performance is our middle name."
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search