SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SQL INJECTION


SQL INJECTION

Author
Message
m_belhocine
m_belhocine
Forum Newbie
Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)

Group: General Forum Members
Points: 8 Visits: 183
Hi,

how to prevent injection with trigger ? it's possible ?

many thanks,
Brandie Tarvin
Brandie Tarvin
SSC Guru
SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)

Group: General Forum Members
Points: 60994 Visits: 9400
Not quite sure what you're asking. Do you mean you want to create a trigger that looks at the input before anything happens so you can verify there's no SQL in it? Or do you mean something else?

SQL 2005 has some built in "injection prevention" already and there are ways to validate input on the front end before the input gets to the server. Is there a reason why you can't use input validation?

EDIT: Before I get jumped on by others, I should clarify the above statement. SQL 2005 does *not prevent* SQL Injection attacks if you leave room for them. However, there are tools in 2k5 that assist in preventing them if you use the tools correctly. Look up "SQL Injection" in BOL for more details. And if I can find the specific reference from my training book on 2k5 (the "Updating your DB skills" course offered by New Horizons), I'll post it.

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
m_belhocine
m_belhocine
Forum Newbie
Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)

Group: General Forum Members
Points: 8 Visits: 183
I already have a script anti injection in ASP, ASPX I would like to trigger an anti Injection
Brandie Tarvin
Brandie Tarvin
SSC Guru
SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)SSC Guru (60K reputation)

Group: General Forum Members
Points: 60994 Visits: 9400
I'm sorry, but I'm still not clear on what you want to accomplish. Could you be more detailed?

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Scott Coleman
Scott Coleman
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10513 Visits: 1561
Triggers react to DML and DDL events. If some code is suceptible to SQL injection attacks, you would have to predict the form of every possible attact to write triggers for them.

You prevent SQL injection by using methods that don't permit user-entered text to be executed as commands. Triggers are reactive, they won't run until the attack has already succeeded.



Florian Reischl
Florian Reischl
SSChampion
SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)

Group: General Forum Members
Points: 13839 Visits: 3934
Very generic question...

First and best way to prevent any SQL injection:
* Don't allow clients to create dynamic SQL. Secure the complete database with a stored procedures interface
* Do not use any dynamic SQL within those procedures.

For new-school client technologies:
Today O/R-Mapper frameworks become more and more common. Use well known frameworks like (N)Hibernate or Entity Framework. The large frameworks always ensure a correct and not injectable SQL. Don't use rebel frameworks. Don't use the custom SQL features (if any) of these frameworks.

More optimistic prevention (which still can work):
If you don't use a O/R-Mapper and your client apps generate dynamic SQL statements. Tell the developers never to add values as strings. Always use the data provider interfaces like SqlCommand objects in .NET

Greets
Flo


The more I learn, the more I know what I do not know
Blog: Things about Software Architecture, .NET development and T-SQL

How to Post Data/Code to get the best Help How to Post Performance Problems
GSquared
GSquared
SSC Guru
SSC Guru (93K reputation)SSC Guru (93K reputation)SSC Guru (93K reputation)SSC Guru (93K reputation)SSC Guru (93K reputation)SSC Guru (93K reputation)SSC Guru (93K reputation)SSC Guru (93K reputation)

Group: General Forum Members
Points: 93651 Visits: 9730
Triggers are not the right tool to use to prevent SQL injection. By the time the code has fired off a trigger, it's WAY too late to be preventing injection.

Injection attacks are more likely to be about selecting data (to steal it) than to be about updating data. Triggers can't fire on selects.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
m_belhocine
m_belhocine
Forum Newbie
Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)Forum Newbie (8 reputation)

Group: General Forum Members
Points: 8 Visits: 183
Many thanks...:-)
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search