RE: Vulnerable to SQL Injection third-party API

SSC-Forever

Points: 41690

January 30, 2014 at 1:13 pm

Nadrek (1/30/2014)
May I recommend a CHECK constraint on the column(s) that prevent any data except letters and maybe spaces, perhaps numbers if you have to? If you have to accept any other characters, you're going down a very dark road indeed. Whitelisting is far better than trying to blacklist, but still not perfect.

The data requires a lot more "allowed" characters than that. The database and the software that I have any control over is safe, it's a third-party API and their database that is vulnerable.

Thanks for the links.

john barnett (1/30/2014)
As an alternative, could the application connect to SQL via an account that doesn't have rights to execute DDL statements, or wold this break your software?
John

Not my software or my database at fault. I connect via their API to their database, I can't mess with anything on their systems (technically I could in-house, but it isn't a viable option unfortunately).

To be honest here guys, I don't think there's a whole lot more I can do.

Forever trying to learn
My blog - http://www.cadavre.co.uk/
For better, quicker answers on T-SQL questions, click on the following...http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better, quicker answers on SQL Server performance related questions, click on the following...http://www.sqlservercentral.com/articles/SQLServerCentral/66909/