DKG-967908 (6/20/2013)
Hi Everyone,Is it possible to stop SQL Injection Attack at SQL server level?
I have gone through some posts and articles that suggest all the checks at application level so that only authentic data can be entered into database.
My client has a travel portal and facing SQL injection attack. My knowledge is limited in this topic. Please can anyone help and let me know in case we can do something at SQL server level so that it can be stopped.
An early response would be highly appreciated.
thanks in advance.
My guess is the application is creating a sql string and then executing it? That is the classic sql injection vulnerability. The bet solution is either create stored procedures for everything and/or make calls to sp_executesql and use parameters. Somehow you must start using parameterized sql or the injection vulnerability will remain.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/