quote:

---

Has anyone ever been injected?

---

While I haven't, I have done security consulting after the fact. A friend of mine owns an ISP and he had a customer complaining that my friend's servers were insecure because data was appearing and disappearing in his database unexpectedly and not as his application would handle it. My friend, security paranoid that he is, knew the guy was running an ASP-based site using SQL Server as a back-end. My friend also knew the web server and the SQL Server were secure. So he called me in.

It only took about two minutes of looking to see that his code was vulnerable to SQL Injection. I sent to my friend the links from NGSSoftware as well as a sample couple of links that demonstrated a successful SQL Injection attack on the web site. He quickly passed this on to the person in question.

Like I said, as a DBA, you're really hand-cuffed if the developer doesn't build the application securely. Hence the reason for code reviews. Pair programming, a la Extreme Programming, ain't a bad practice, either, so long as one of the programmers is versed in defensive programming.

K. Brian Kelley

http://www.truthsolutions.com/

Author: Start to Finish Guide to SQL Server Performance Monitoring

http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1