Home Forums SQL Server 2008 SQL Server 2008 - General How to prevent SQL Injection Attack from SQL server side RE: How to prevent SQL Injection Attack from SQL server side

  • June 21, 2013 at 12:53 pm

    #1626462

    at the very least the front end app should be escaping strings. A typical attack occurs where you are running a script like

    $SQL = "SELECT * FROM CUSTOMER WHERE NAME = '" + $NAME +"'"

    if $NAME is "Bob" then the query ends up as

    SELECT * FROM CUSTOMER WHERE NAME = 'Bob'

    Which is a perfectly good SQL statement.

    If the user sets $NAME = "';DELETE * FROM CUSTOMER;SELECT '"

    $SQL will now look like

    SELECT * FROM CUSTOMER WHERE NAME = '';DELETE * FROM CUSTOMER;SELECT ''

    Which is also a perfectly good set of SQL commands and hey presto the attacker has just deleted all of your customers.

    If you escape the control characters and convert the ' into & quot; the worst you will get is a badly formed query.

    In fact this post is a really good example. I have to put a space between the ampersand and the quote otherwise you will just see the quote marks. When the text of the post is stored in the db is is escaped to the ampersand escape sequence and then converted back when the data is shown on the screen. This protects the db and application from an injection attack.